arm32: prevent unwinding of __ta_entry()

Since commit eeb866c431db ("Add TA entry point function: __ta_entry()"),
__ta_entry() is the first function in the user space call stack, not
__utee_entry().

arm32: prevent unwinding of __ta_entry()

Since commit eeb866c431db ("Add TA entry point function: __ta_entry()"),
__ta_entry() is the first function in the user space call stack, not
__utee_entry(). Therefore, the asm(".cantunwind") declaration should be
moved from __utee_entry() to __ta_entry().

When utee_return() was moved from __utee_entry() to __ta_entry() by
commit fde3a7f212f8 ("Remove redundant __noreturn from __utee_entry()"),
it caused a regression in xtest 1010.3. The stack unwinding would enter
an infinite loop as follows:

E/TC:? 0 User TA prefetch-abort at address 0x0 (translation fault)
E/TC:? 0 fsr 0x00000005 ttbr0 0x3f07906a ttbr1 0x3f06c06a cidr 0x2
E/TC:? 0 cpu #7 cpsr 0x80000110
E/TC:? 0 r0 0x00000001 r4 0x00161448 r8 0x00161438 r12 0x00152f80
E/TC:? 0 r1 0x00000002 r5 0x00152f40 r9 0x00152f30 sp 0x00152f10
E/TC:? 0 r2 0x00000000 r6 0x00152f80 r10 0x0000000a lr 0x0015498d
E/TC:? 0 r3 0x00152f14 r7 0x00161458 r11 0x00245420 pc 0x00000000
E/TC:? 0 Status of TA 5b9e0e40-2636-11e1-ad9e-0002a5d5c51b (0x3f069c30) (active)
E/TC:? 0 arch: arm load address: 0x00153000 ctx-idr: 2
E/TC:? 0 stack: 0x00150000 12288
E/TC:? 0 region 0: va 0x00100000 pa 0x3f000000 size 0x002000 flags ---R-X
E/TC:? 0 region 1: va 0x00150000 pa 0x3f110000 size 0x003000 flags rw-RW-
E/TC:? 0 region 2: va 0x00153000 pa 0x3f113000 size 0x00e000 flags r-xR-- [0] .ta_head .text .plt .rodata .ARM.extab .ARM.extab.text.unlikely .ARM.extab.text.__aeabi_ldivmod .ARM.extab.text.__aeabi_uldivmod .ARM.extab.text.utee_panic .ARM.exidx .dynsym .dynstr .hash
E/TC:? 0 region 3: va 0x00161000 pa 0x3f121000 size 0x0e5000 flags rw-RW- [0] .got .rel.got .rel.plt .dynamic .data .bss .rel.dyn
E/TC:? 0 region 4: va 0x00246000 pa 0x3f101000 size 0x001000 flags r-xR-- [1] .hash .dynsym .dynstr .rel.plt .plt .text .ARM.exidx
E/TC:? 0 region 5: va 0x00247000 pa 0x3f102000 size 0x001000 flags rw-RW- [1] .dynamic .got
E/TC:? 0 region 6: va 0x00248000 pa 0x3f100000 size 0x001000 flags r-----
E/TC:? 0 [0] 5b9e0e40-2636-11e1-ad9e-0002a5d5c51b @ 0x00153000 (optee_test/out/ta/os_test/5b9e0e40-2636-11e1-ad9e-0002a5d5c51b.elf)
E/TC:? 0 [1] ffd2bded-ab7d-4988-95ee-e4962fff7154 @ 0x00246000 (optee_test/out/ta/os_test_lib/libos_test.so)
E/TC:? 0 Call stack:
E/TC:? 0 0x00000000 ???
E/TC:? 0 0x0015c629 __ta_entry at optee_os/out/arm/export-ta_arm32/src/user_ta_header.c:41
E/TC:? 0 0x0015c62d tahead_get_trace_level at optee_os/out/arm/export-ta_arm32/src/user_ta_header.c:117
E/TC:? 0 0x0015c62d tahead_get_trace_level at optee_os/out/arm/export-ta_arm32/src/user_ta_header.c:117
...

Moving the .cantunwind directive fixes the issue.

Fixes: fde3a7f212f8 ("Remove redundant __noreturn from __utee_entry()")
Fixes: eeb866c431db ("Add TA entry point function: __ta_entry()")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Sumit Garg <sumit.garg@linaro.org>

show more ...

hikey960: add support for 6G boards (CFG_DRAM_SIZE_GB=6)

Adds support for CFG_DRAM_SIZE_GB=6 and declares the non-secure
physical memory range 4~7G which may be used as shared memory by Linux
[1].

hikey960: add support for 6G boards (CFG_DRAM_SIZE_GB=6)

Adds support for CFG_DRAM_SIZE_GB=6 and declares the non-secure
physical memory range 4~7G which may be used as shared memory by Linux
[1].

Link: [1] https://github.com/96boards-hikey/OpenPlatformPkg/blob/50c813d0b9b3/Platforms/Hisilicon/HiKey960/Library/HiKey960Lib/HiKey960Mem.c#L40-L42
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey960: fix memory mapping for 4G boards (CFG_DRAM_SIZE_GB=4)

HiKey960 boards equipped with 4G of RAM may use physical addresses in
the range 8G~8.5G [1]. This range is currently not declared in O

hikey960: fix memory mapping for 4G boards (CFG_DRAM_SIZE_GB=4)

HiKey960 boards equipped with 4G of RAM may use physical addresses in
the range 8G~8.5G [1]. This range is currently not declared in OP-TEE,
so if Linux happens to be using it for shared memory, it will cause
problems. This can happen when:
1. Dynamic shared memory is enabled in OP-TEE (CFG_CORE_DYN_SHM=y) and
used by the kernel driver ("optee: dynamic shared memory is enabled" in
the boot log), and
2. The UEFI firmware is recent enough to report the whole physical
address range to the kernel (introduced in edk2's OpenPlatformPkg
commit 50c813d0b9b3 ("Platforms/HiKey960: Support 4G or more memory
space for RAM") [2].

The typical error is (the address could be any value >4G):

E/TC:6 0 tee_entry_std:551 Bad arg address 0x217e9a000

This commit fixes the issue by adding the missing memory range.
Obviously, dealing with PAs greater than 4G requires a 64-bit TEE core
or CFG_CORE_LARGE_PHYSICAL_ADDR=y, so a compile-time check is added.

Link: [1] https://github.com/96boards-hikey/OpenPlatformPkg/blob/50c813d0b9b3/Platforms/Hisilicon/HiKey960/Library/HiKey960Lib/HiKey960Mem.c#L34-L38
Link: [2] https://github.com/96boards-hikey/OpenPlatformPkg/commit/50c813d0b9b3
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Sungjin Park <sungjinp@gmail.com>

show more ...

core: imx: Fix compilation warnings leading to build breakage

The following two commits slipped through warnings that weren't caught by
Shippable:

Commit 4cb61ae7d98e ("core: imx: Add simple CAAM p

core: imx: Fix compilation warnings leading to build breakage

The following two commits slipped through warnings that weren't caught by
Shippable:

Commit 4cb61ae7d98e ("core: imx: Add simple CAAM permissions set routine")
Commit f142f6f224fe ("core: imx: Add in calls to set CAAM job-ring
permissions")

This patch fixes both warnings.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reported-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

MAINTAINERS: Update list of maintainers

Add Jerome Forissier back to the list of maintainers.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro

MAINTAINERS: Update list of maintainers

Add Jerome Forissier back to the list of maintainers.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

PTA: change method for checking memory in derive TA key

The tee_vbuf_is_sec() which ends up as core_vbuf_is() doesn't work with
paged user space memory, so instead use tee_mmu_check_access_rights().

PTA: change method for checking memory in derive TA key

The tee_vbuf_is_sec() which ends up as core_vbuf_is() doesn't work with
paged user space memory, so instead use tee_mmu_check_access_rights().

Fixes: a30ddda9e488 ("PTA: add support for deriving device and TA unique keys")

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

PTA: add support for deriving device and TA unique keys

Enable derivation of device and Trusted Application unique keys that can
be used by different Trusted Applications directly. An example of use

PTA: add support for deriving device and TA unique keys

Enable derivation of device and Trusted Application unique keys that can
be used by different Trusted Applications directly. An example of use
case could be when you need to encrypt some data in a Trusted App and
then give it back to normal world.

By default device unique properties (HUK and TA UUID) will be used when
deriving a key. However, the one calling the PTA derive key function
also have the ability to provide some extra data that will be mixed in
together with existing device unique properties. That gives the ability
to derive keys that are not only device and Trusted Application unique,
but also tied to some additional data, it could for example be a
password or something similar.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

HUK: Add enum for TA unique key derivation

Add an additional enum that will be used when deriving device and TA
unique keys.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wi

HUK: Add enum for TA unique key derivation

Add an additional enum that will be used when deriving device and TA
unique keys.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ftrace: arm64: handle special setjmp()/longjmp() apis

setjmp()/longjmp() user-space apis are used to perform a nonlocal goto
which transfer execution from one function to a predetermined location
in

ftrace: arm64: handle special setjmp()/longjmp() apis

setjmp()/longjmp() user-space apis are used to perform a nonlocal goto
which transfer execution from one function to a predetermined location
in another function. This is a special case as compared to normal "C"
function calls. So this patch enables ftrace to generate function graph
for these apis.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)

show more ...

symbolize.py: add support to symbolize TA ftrace addresses

Add supoort to symbolize function graph addresses for instrumented TA.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Joak

symbolize.py: add support to symbolize TA ftrace addresses

Add supoort to symbolize function graph addresses for instrumented TA.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)

show more ...

core: enable ftrace for TAs built using shared libraries

To enable ftrace for TAs built with shared libraries, we need to dump
the TA state (include regions dump along with mapping to <uuid>.elf) in

core: enable ftrace for TAs built using shared libraries

To enable ftrace for TAs built with shared libraries, we need to dump
the TA state (include regions dump along with mapping to <uuid>.elf) in
corresponding ftrace buffer for symbolize.py script to map symbols to
particular shared libraries.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)

show more ...

libutee: arm64: Add support for function tracing of user TAs

Function tracing (ftrace) is a useful debugging technique to dump
function call graph for in-depth analysis of program execution and also

libutee: arm64: Add support for function tracing of user TAs

Function tracing (ftrace) is a useful debugging technique to dump
function call graph for in-depth analysis of program execution and also
to get useful information in case of any program abort.

In case of TA, this function graph information is dumped in a buffer
kept in .bss section of corresponding instrumented TA. So this buffer
can be dumped to normal world in case TA session closes or in case of
any abort. Also size of this ftrace buffer is configurable per TA via
following config option during TA compilation:

CFG_FTRACE_BUF_SIZE=2048

Function tracing is completely optional debugging feature which could
be enabled via command line config option CFG_TA_FTRACE_SUPPORT=y.

Along with this user needs to add cflag: "-pg" to the files for whom
function graph is to be generated. Typically for the whole TA, it should
be compiled with CFG_TA_MCOUNT=y.

And in case user wants to set "-pg" for particular file, following should
go in corresponding sub.mk:

cflags-<file-name>-y+=-pg

Also, to generate function graph for user mode libraries enable
CFG_ULIBS_MCOUNT=y which will set "-pg" for all library files.

Currently this patch adds support for function tracing of 64-bit
TAs only.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)

show more ...

core: prepare support for TA function tracing

To support TA function tracing OP-TEE core role being:
- To initialize and register ftrace buffer per TA session.
- To dump TA ftrace buffer to normal w

core: prepare support for TA function tracing

To support TA function tracing OP-TEE core role being:
- To initialize and register ftrace buffer per TA session.
- To dump TA ftrace buffer to normal world via RPC call in case TA
session closes or in case of TA abort.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)

show more ...

Rename CFG_ULIBS_GPROF to CFG_ULIBS_MCOUNT

CFG_ULIBS_GPROF builds the user mode libraries with -pg, which adds
instrumentation to all functions in the form of a call to mcount().
This was historical

Rename CFG_ULIBS_GPROF to CFG_ULIBS_MCOUNT

CFG_ULIBS_GPROF builds the user mode libraries with -pg, which adds
instrumentation to all functions in the form of a call to mcount().
This was historically used by gprof, but other tools can benefit from
this instrumentation. Therefore, rename the config flag as well as a
couple of source files to remove the reference to gprof.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)

show more ...

core: fix AArch64 user TA stack dump

Restores user TA stack base and size __print_stack_unwind_arm64() to be
able to dump the user TA stack.

Fixes: c0bc8d0e7d72 ("core: print TA stack dump from thr

core: fix AArch64 user TA stack dump

Restores user TA stack base and size __print_stack_unwind_arm64() to be
able to dump the user TA stack.

Fixes: c0bc8d0e7d72 ("core: print TA stack dump from thread context")
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

TA dev kit: always link shared libraries against OP-TEE libraries

If a TA shared library is created, and needs to call OP-TEE functions,
it needs to link against the TEE libraries (libutee, libutils

TA dev kit: always link shared libraries against OP-TEE libraries

If a TA shared library is created, and needs to call OP-TEE functions,
it needs to link against the TEE libraries (libutee, libutils etc.) in
a similar way to TAs.

This patch adds the proper flags.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: sm: explicit return value for sm_from_nsec()

Define macros to explicit return value for sm_from_nsec() used
in monitor assembly trampoline to invoke either secure or non-secure
world.

Signed-

core: sm: explicit return value for sm_from_nsec()

Define macros to explicit return value for sm_from_nsec() used
in monitor assembly trampoline to invoke either secure or non-secure
world.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu)

show more ...

core: sm: embed sm_platform_handler upon CFG_SM_PLATFORM_HANDLER

When CFG_SM_PLATFORM_HANDLER is disabled don't even call platform
handler which is not embedded. This change aligns sm_platform_handl

core: sm: embed sm_platform_handler upon CFG_SM_PLATFORM_HANDLER

When CFG_SM_PLATFORM_HANDLER is disabled don't even call platform
handler which is not embedded. This change aligns sm_platform_handler()
and std_handler() in secure monitor integration.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: explicit return value for sm_platform_handler()

Changes sm_platform_handler() to explicitly return whether the SMC
was handled or if it shall be relayed to another layer. Prior this
change the

core: explicit return value for sm_platform_handler()

Changes sm_platform_handler() to explicitly return whether the SMC
was handled or if it shall be relayed to another layer. Prior this
change the function returned false when the SMC had been handled and
true otherwise which are not obvious return values.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: correct _fdt_get_status() description

Correct _fdt_get_status() function description since it returns a
positive or null value on success and -1 on error.

Signed-off-by: Etienne Carriere <eti

core: correct _fdt_get_status() description

Correct _fdt_get_status() function description since it returns a
positive or null value on success and -1 on error.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: fix missing unpaged constraint on mobj_with_fobj_get_pa()

mobj_with_fobj_get_pa() gets called when a TA crashed and core prints
some information about the TA. This change ensures the function

core: fix missing unpaged constraint on mobj_with_fobj_get_pa()

mobj_with_fobj_get_pa() gets called when a TA crashed and core prints
some information about the TA. This change ensures the function belongs
to an unpaged section.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ensure embedded DTB found trace is output once

Move info trace "Embedded DTB found" so that it is output only once
even when get_embedded_dt() is called several times.

Signed-off-by: Etienne

core: ensure embedded DTB found trace is output once

Move info trace "Embedded DTB found" so that it is output only once
even when get_embedded_dt() is called several times.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix core panic when CFG_UNWIND=n

This change fixes a core panic occurrence when a TA panics while core
is built with CFG_TEE_CORE_DEBUG=y and CFG_UNWIND=n.

When a TA panics while CFG_UNWIND=n

core: fix core panic when CFG_UNWIND=n

This change fixes a core panic occurrence when a TA panics while core
is built with CFG_TEE_CORE_DEBUG=y and CFG_UNWIND=n.

When a TA panics while CFG_UNWIND=n, the thread specific data holding
abort_type was not loaded prior this change. The abort sequence that
print information to the console dumps now does not attemp to dump
un-relevant CPU register content.

Prior this change, ARM32 code could panic since reading an invalid SPSR
value when printing CPU state to the console, with an error trace like:

E/TC:? 0 TA panicked with code 0xbeef
E/TC:? 0 assertion 'thread_get_exceptions() & THREAD_EXCP_FOREIGN_INTR' failed at core/arch/arm/include/kernel/misc.h:22 <get_core_pos>
E/TC:0 0 Panic at core/kernel/assert.c:28 <_assert_break>


Prior this change ARM64 code printed irrelevant CPU state information
as below:

E/TC:? 0 TA panicked with code 0xbeef
E/TC:? 0
E/TC:? 0 User TA undef-abort at address 0x0
E/TC:? 0 esr 0x00000000 ttbr0 0x200000e173020 ttbr1 0x00000000 cidr 0x0
E/TC:? 0 cpu #0 cpsr 0x00000000
E/TC:? 0 x0 0000000000000000 x1 0000000000000000
(...)
E/TC:? 0 x30 0000000000000000 elr 0000000000000000
E/TC:? 0 sp_el0 0000000000000000

Fixes: c0bc8d0e7d72 ("core: print TA stack dump from thread context")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: move embedded DTB out of init sections

This change makes generic boot to discover non-secure memory and
console configuration from the external DTB only, no more from the
embedded DTB as prior

core: move embedded DTB out of init sections

This change makes generic boot to discover non-secure memory and
console configuration from the external DTB only, no more from the
embedded DTB as prior this change. When generic boot attempts to access
embedded DTB, the embedded DTB gets located in init read-only data
section become unnecessary too big. With this change, embedded DTB now
lies in the standard pageable read-only data section, relaxing memory
footprint constraint.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers/stpmic1: unpaged low power sequence

STPMIC1 is used by the secure world to driver the system low power
sequences. Since these sequences are executed in unpaged context,
the driver gets the c

drivers/stpmic1: unpaged low power sequence

STPMIC1 is used by the secure world to driver the system low power
sequences. Since these sequences are executed in unpaged context,
the driver gets the configuration from the DTB during the initialization
and provides optimized functions to load target configuration at
runtime.

This change makes STPMIC1 driver to call the memory footprint optimized
function stm32_i2c_read_write_membyte() for I2C transfer instead of
generic stm32_i2c_mem_read()/stm32_i2c_mem_write(). This is more
suitable to OP-TEE pager constraints on the platform.

This changes removes now unused STPMIC1_I2C_TIMEOUT_US.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...