core: fix file_get_by_tag()

Fixes a race in file_get_by_tag() where a file is just about to be freed
but hasn't been removed from the linked list yet.

Fixes: bae0f170e321 ("core: file: refactor int

core: fix file_get_by_tag()

Fixes a race in file_get_by_tag() where a file is just about to be freed
but hasn't been removed from the linked list yet.

Fixes: bae0f170e321 ("core: file: refactor interface to be thread safe")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: make mutex_trylock() work with lockdep

Instrument mutex_trylock() with lockdep_tryacquire() so that it can be
used with CFG_LOCKDEP=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro

core: make mutex_trylock() work with lockdep

Instrument mutex_trylock() with lockdep_tryacquire() so that it can be
used with CFG_LOCKDEP=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: lockdep: support non-blocking acquire

Adds support for non-blocking lock semantics such as mutex_trylock().
A new function is introduced to instrument this operation:
lockdep_tryacquire(). It

core: lockdep: support non-blocking acquire

Adds support for non-blocking lock semantics such as mutex_trylock().
A new function is introduced to instrument this operation:
lockdep_tryacquire(). It should be called when it is known that
ownership of the underlying object has been granted to the caller. It
behaves similarly to lockdep_acquire() in that it does record the call
stack and records that the lock is owned. But it does not create any
dependencies to the locks that are currently owned by the caller. See
"Dynamic Lock Dependency Analysis of Concurrent Systems" [1] section
5.3.

Link: [1] http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.87.132&rep=rep1&type=pdf
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pager: fix NULL deref in tee_pager_pgt_save_and_release_entries()

Fixes a potential NULL dereference in
tee_pager_pgt_save_and_release_entries() in case a struct user_ta_ctx
doesn't have an ar

core: pager: fix NULL deref in tee_pager_pgt_save_and_release_entries()

Fixes a potential NULL dereference in
tee_pager_pgt_save_and_release_entries() in case a struct user_ta_ctx
doesn't have an areas pointer allocated yet.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: allocate temp secmem for invoke

Allocates temporary secure memory for buffers in TA private memory
passed to invoke_command/open_session. This offloads the logic in TEE
core which until now

libutee: allocate temp secmem for invoke

Allocates temporary secure memory for buffers in TA private memory
passed to invoke_command/open_session. This offloads the logic in TEE
core which until now has allocated temporary secure memory as needed
during TA to TA calls.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: support dynamic memory mapping

Adds tee_map_zi() and tee_unmap() as wrappers for PTA_SYSTEM_MAP_ZI and
PTA_SYSTEM_UNMAP respectively.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro

libutee: support dynamic memory mapping

Adds tee_map_zi() and tee_unmap() as wrappers for PTA_SYSTEM_MAP_ZI and
PTA_SYSTEM_UNMAP respectively.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: user_ta_entry.c: {to,from}_utee_params()

Use local implementation of to_utee_params() and from_utee_params().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jen

libutee: user_ta_entry.c: {to,from}_utee_params()

Use local implementation of to_utee_params() and from_utee_params().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta_system: support dynamic memory mapping

Adds PTA_SYSTEM_MAP_ZI and PTA_SYSTEM_UNMAP to dynamically map and unmap
user space memory from user space. The memory is automatically freed
when th

core: pta_system: support dynamic memory mapping

Adds PTA_SYSTEM_MAP_ZI and PTA_SYSTEM_UNMAP to dynamically map and unmap
user space memory from user space. The memory is automatically freed
when the context of the TA is freed.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta_system: set TA_FLAG_CONCURRENT

The system pseudo TA is used instead of adding new syscalls. To ensure
concurrent execution and more importantly avoid dead-lock due to
interference with the

core: pta_system: set TA_FLAG_CONCURRENT

The system pseudo TA is used instead of adding new syscalls. To ensure
concurrent execution and more importantly avoid dead-lock due to
interference with the single instance lock and for instance waiting for
page tables when adding new mappings.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix access flags in system_derive_ta_unique_key()

Updates the access flags used to test that the supplied TA buffer is
indeed secure.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.or

core: fix access flags in system_derive_ta_unique_key()

Updates the access flags used to test that the supplied TA buffer is
indeed secure.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add user_ta_set_prot()

Adds user_ta_set_prot() which allows changing protection bits read,
write and execute as long as they don't conflict with page sharing.

Acked-by: Jerome Forissier <jero

core: add user_ta_set_prot()

Adds user_ta_set_prot() which allows changing protection bits read,
write and execute as long as they don't conflict with page sharing.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add user_ta_map() and user_ta_unmap()

Adds user_ta_map() and user_ta_unmap() to create/remove new maps from
user space.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by:

core: add user_ta_map() and user_ta_unmap()

Adds user_ta_map() and user_ta_unmap() to create/remove new maps from
user space.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add TEE_MATTR_SHAREABLE

Adds TEE_MATTR_SHAREABLE to tag mappings that may be shared by other TAs.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <je

core: add TEE_MATTR_SHAREABLE

Adds TEE_MATTR_SHAREABLE to tag mappings that may be shared by other TAs.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: user_ta: keep load segs in linked list

Keeps the load segments of an ELF in a singly linked list instead of an
array.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by

core: user_ta: keep load segs in linked list

Keeps the load segments of an ELF in a singly linked list instead of an
array.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add vm_map_pad()

Adds vm_map_pad() which allows specifying how much free memory should be
available before and after the map.

This allows mapping the first part of for instance an ELF file wh

core: add vm_map_pad()

Adds vm_map_pad() which allows specifying how much free memory should be
available before and after the map.

This allows mapping the first part of for instance an ELF file while
knowing that the next part which has to be of a certain offset from the
first part also will succeed.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: vm_map changes, only on active context

For easier cache maintenance vm_set_prot() and vm_unmap() requires the
supplied context to be active.

Calls to tee_mmu_set_ctx() is added in vm_set_prot

core: vm_map changes, only on active context

For easier cache maintenance vm_set_prot() and vm_unmap() requires the
supplied context to be active.

Calls to tee_mmu_set_ctx() is added in vm_set_prot() and vm_unmap() as
needed for the changes in mappings to take effect.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add vm_unmap()

Adds vm_unmap() to simplify removing mappings previously added with
vm_map().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wi

core: add vm_unmap()

Adds vm_unmap() to simplify removing mappings previously added with
vm_map().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: file: refactor interface to be thread safe

Adds file_lock() and file_unlock() to change the lock state of a file.

file_new() is removed, the only way to create a file is with
file_get_by_tag(

core: file: refactor interface to be thread safe

Adds file_lock() and file_unlock() to change the lock state of a file.

file_new() is removed, the only way to create a file is with
file_get_by_tag() which will return an empty newly allocated file if
none can be found.

file_add_slice() is added to add slices to a file, one by one.

With this can multiple threads try to load a TA at once, the first one
taking the lock will add all the slices to the file.

The code in user_ta.c and elf_load.c using the <file.h> interface can
be optimized to allow more operations in parallel.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: lockdep: support lock destroy

With lockdep enabled (CFG_LOCKDEP=y), additional cleanup is needed when
a mutex is destroyed. This patch adds mutex_destroy_check() which is
called when a mutex i

core: lockdep: support lock destroy

With lockdep enabled (CFG_LOCKDEP=y), additional cleanup is needed when
a mutex is destroyed. This patch adds mutex_destroy_check() which is
called when a mutex is destroyed with mutex_destroy(). From
mutex_destroy_check() the corresponding lockdep node and all edges
referring to it are removed.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: sys/queue.h: add STAILQ_REMOVE_AFTER()

Import macro STAILQ_REMOVE_AFTER from FreeBSD.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklande

libutils: sys/queue.h: add STAILQ_REMOVE_AFTER()

Import macro STAILQ_REMOVE_AFTER from FreeBSD.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add SLIST_HEAD() and SLIST_ENTRY() to typedefs.checkpatch

When using BSD queues from <sys/queues.h>, a simple list entry is declared
with a macro:

SLIST_ENTRY(type) var;

This makes checkpatch.pl u

Add SLIST_HEAD() and SLIST_ENTRY() to typedefs.checkpatch

When using BSD queues from <sys/queues.h>, a simple list entry is declared
with a macro:

SLIST_ENTRY(type) var;

This makes checkpatch.pl unhappy because the type is unknown:

WARNING: Missing a blank line after declarations
+ struct file *file;
+ SLIST_ENTRY(load_seg) link;

Checkpatch has the same problem with the macro SLIST_HEAD().

This patch adds a regular expression to typedefs.chackpatch that
matches the macro part, thus fixing the warning.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce OPTEE_SMC_SEC_CAP_VIRTUALIZATION

We need some way to tell normal world if OP-TEE does support
virtualization. Prior to this patch NW had to probe for virtualization by
calling OPTEE_

core: introduce OPTEE_SMC_SEC_CAP_VIRTUALIZATION

We need some way to tell normal world if OP-TEE does support
virtualization. Prior to this patch NW had to probe for virtualization by
calling OPTEE_SMC_VM_DESTROYED which is not reliable.

New capability flag OPTEE_SMC_SEC_CAP_VIRTUALIZATION solves this issue.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

pem_to_pub_c.py: Rework code to be more pythonic

Instances of open() were wrapped in with statements to ensure proper
closing of files even in the case of errors. This also improves
the readability

pem_to_pub_c.py: Rework code to be more pythonic

Instances of open() were wrapped in with statements to ensure proper
closing of files even in the case of errors. This also improves
the readability of the code.

Signed-off-by: Markus S. Wamser <markus.wamser@mixed-mode.de>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
[jf: add file name to commit subject and use imperative mood]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

pem_to_pub_c.py: Add sanity check for public exponent of TA signing key

This change fixes a potential security vulnerability.

The public exponent of the TA signing key is stored by OP-TEE OS as an

pem_to_pub_c.py: Add sanity check for public exponent of TA signing key

This change fixes a potential security vulnerability.

The public exponent of the TA signing key is stored by OP-TEE OS as an
unsigned 32-bit integer. While rarely seen in the wild, public exponents
that overflow this storage field exist. Although the C compiler usually
generates an overflow warning when such an exponent would be set, this
happens only once after the key was changed and is easily overlooked.
With this change the script throws an exception, notifying the user of the
unsuitable key.

Without the sanity check, such an unsuitable key would simply lead to
TA signature verification failures. However, if the public exponent e
is close to a multiple of 2^32, a small exponent attack to forge a
signature might be feasible.

Signed-off-by: Markus S. Wamser <markus.wamser@mixed-mode.de>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
[jf: add file name to commit subject]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: elf_load_dyn.c: use DT_HASH to lookup symbols faster

Use the ELF hash table to lookup symbols rather than iterating over
the whole symbol table. With this change, relocations are applied
much

core: elf_load_dyn.c: use DT_HASH to lookup symbols faster

Use the ELF hash table to lookup symbols rather than iterating over
the whole symbol table. With this change, relocations are applied
much more quickly. For instance, with QEMU and CFG_ULIBS_SHARED=y, the
average time for the relocation loop in tee_ta_init_user_ta_session()
is reduced from 60-70 ms to 2-3 ms (tested with xtest).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...