mk/config.mk: remove untrue comment

The comment stating that the REE filesystem is the only possible storage
to load Trusted Applications from is not true anymore. As described in
documentation/opte

mk/config.mk: remove untrue comment

The comment stating that the REE filesystem is the only possible storage
to load Trusted Applications from is not true anymore. As described in
documentation/optee_design.md, two other options are possible (early TAs
and secure storage). Therefore, remove the comment.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit remove

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit removes buf_compare_ct(). A compatibility wrapper is kept
in <string_ext.h> to avoid knowingly breaking the build of any TA that
may use it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison

libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison is not constant time for a given buffer size can reveal
information on the buffer content and lead to side-channel attacks.
Although the GlobalPlatform TEE Internal Core API specification says
nothing about this timing aspect, it is unsafe not to propose a constant
time implementation to TAs. A member of the GP specification working
group confirmed in an informal discussion.

Therefore, replace memcmp() with consttime_memcmp() for constant time
comparison. If a TA needs the fastest possible buffer comparison it can
call the C library function memcmp() (from <string.h>), which we provide
in libutils.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [3.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutils: Import isc_tsmemcmp() from NTP as consttime_memcmp()

This patch imports a constant-time byte sequence comparison function
from the NTP source tree [1]. Contrary to our buf_compare_ct() fun

libutils: Import isc_tsmemcmp() from NTP as consttime_memcmp()

This patch imports a constant-time byte sequence comparison function
from the NTP source tree [1]. Contrary to our buf_compare_ct() function,
which has only two possible outcomes (zero or non-zero), the new function
is a direct replacement for memcmp() because it returns three possible
states (< 0, 0, > 0).

Link: [1] http://bk.ntp.org/ntp-stable/lib/isc/tsmemcmp.c
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: RPMB FS: check for potential overflows

This commit deals with a number of potential integer overflows in the
RPMB FS code.

rpmb_fs_init() requests device information from the REE. The RPMB si

core: RPMB FS: check for potential overflows

This commit deals with a number of potential integer overflows in the
RPMB FS code.

rpmb_fs_init() requests device information from the REE. The RPMB size
is returned in struct rpmb_dev_info (field rpmb_size_mult) and is used
in a multiplication that could overflow. Use MUL_OVERFLOW() to deal with
this case.

Some overflow checks are also added in the read and write paths.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.12]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: syscall_authenc_init(): check nonce accessibility

syscall_authenc_init() does not check that the given nonce address is
within TA accessible memory. Fix that.

Signed-off-by: Jerome Forissier

core: syscall_authenc_init(): check nonce accessibility

syscall_authenc_init() does not check that the given nonce address is
within TA accessible memory. Fix that.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.10]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: crypto: add overflow check when copying attributes

In copy_in_attrs(), attr_count * sizeof(struct utee_attribute) could
overflow if a very large attr_count is given. Use MUL_OVERFLOW() to
prop

core: crypto: add overflow check when copying attributes

In copy_in_attrs(), attr_count * sizeof(struct utee_attribute) could
overflow if a very large attr_count is given. Use MUL_OVERFLOW() to
properly deal with this case.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.9]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: get_elf_segments(): use memmove on overlapping memory

get_elf_segments() final stage aggregates ELF segments. In the while
loop, the logic to remove the current index is to use memcpy() to shi

core: get_elf_segments(): use memmove on overlapping memory

get_elf_segments() final stage aggregates ELF segments. In the while
loop, the logic to remove the current index is to use memcpy() to shift
down everything beyond that point. This is incorrect; memmove() should
be used instead.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.8]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: load_elf_from_store(): check stack size

Inside load_elf_from_store(), the ta_head structure is retrieved from
un-authenticated area, and contains the stack size. The stack size could
either al

core: load_elf_from_store(): check stack size

Inside load_elf_from_store(), the ta_head structure is retrieved from
un-authenticated area, and contains the stack size. The stack size could
either already be 0, or could be large enough so it becomes 0 when rounded
up to STACK_ALIGNMENT. This could result in vm_map() returning a virtual
address for a 0-size memory block or other issues.

Check the rounded-up stack_size value before using it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.7]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: add VA overflow check in shdr_alloc_and_copy()

Make sure that no address overflow can occur when shdr_alloc_and_copy()
copies the signed header.

Signed-off-by: Jerome Forissier <jerome.foriss

core: add VA overflow check in shdr_alloc_and_copy()

Make sure that no address overflow can occur when shdr_alloc_and_copy()
copies the signed header.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.4]
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: add overflow check in mobj_reg_shm_alloc()

In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could
overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory
would b

core: add overflow check in mobj_reg_shm_alloc()

In function mobj_reg_shm_alloc(), the macro MOBJ_REG_SHM_SIZE() could
overflow depending on 'nr_pages'. In such case, the mobj_reg_shm memory
would be a small memory block, while num_pages would be large, which could
lead to a generous memcpy() when copying the pages in internal memory, the
outcome of this depends on memory mapping.

Note: no attack path are identified to exploit this overflow, however it
is error prone and could lead to a future vulnerability.

This commit replaces the MOBJ_REG_SHM_SIZE() macro with a static
function that performs the same computation, but returns 0 in case of
integer overflow. The call site is updated to return an error status
should this situation happen.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.3]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: do not use virtual addresses as session identifier

Session context virtual address is returned to the REE in
entry_open_session(); it is then used back in entry_close_session() and
entry_invok

core: do not use virtual addresses as session identifier

Session context virtual address is returned to the REE in
entry_open_session(); it is then used back in entry_close_session() and
entry_invoke_command(). Sharing virtual addresses with the REE leads to
virtual memory addresses disclosure that could be leveraged to defeat
ASLR (if/when implemented) and/or mount an attack.

Similarly, syscall_open_ta_session() returns a session ID directly
derived from the session virtual address to the caller TA.

This commit introduces a 32-bit identifier field in struct tee_ta_session.
The ID is generated when the session is created, starting from the id of
the last session in the queue, and counting up until a number that is not
used in the session queue is found.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [2.1]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: ELF relocation: use ADD_OVERFLOW()

The ELF relocation functions e32_process_rel() and e64_process_rel()
can experience integer overflows which could result in invalid memory
access. Use ADD_OV

core: ELF relocation: use ADD_OVERFLOW()

The ELF relocation functions e32_process_rel() and e64_process_rel()
can experience integer overflows which could result in invalid memory
access. Use ADD_OVERFLOW() to prevent these.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.8]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: elf_load_body(): use MUL_OVERFLOW() to get size of section headers

At the end of elf_load_body(), section headers are copied in a system heap
memory block, associated to state->shdr. As the co

core: elf_load_body(): use MUL_OVERFLOW() to get size of section headers

At the end of elf_load_body(), section headers are copied in a system heap
memory block, associated to state->shdr. As the computed size is the
result of an uncontrolled multiplication (ehdr.e_shnum * ehdr.e_shentsize),
it could have overflowed and result in allocating a small memory block.

Use an overflow checking macro to prevent this case.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.7]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: umap_add_region(): add overflow check

Use ADD_OVERFLOW() to be more resilient to very large values
potentially passed to umap_add_region().

Signed-off-by: Jerome Forissier <jerome.forissier@l

core: umap_add_region(): add overflow check

Use ADD_OVERFLOW() to be more resilient to very large values
potentially passed to umap_add_region().

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [1.3]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: entry_std.c: clean memory type inline comments

This change modifies inline comments.

Replace "non sec" and "nonsecure" with "non-secure".
Fixup "Rerefence" into "reference".
Clarify contiguou

core: entry_std.c: clean memory type inline comments

This change modifies inline comments.

Replace "non sec" and "nonsecure" with "non-secure".
Fixup "Rerefence" into "reference".
Clarify contiguous shared memory comment.
Minor rephrasing for consistency.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
[jf: minor edit to commit subject]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: embed BSEC driver

Embed BSEC driver in platform stm32mp1. The platform implements
stm32mp_get_bsec_static_cfg() to provide BSEC static configuration.

Add BSEC node in stm32mp157c.dtsi.
Ad

stm32mp1: embed BSEC driver

Embed BSEC driver in platform stm32mp1. The platform implements
stm32mp_get_bsec_static_cfg() to provide BSEC static configuration.

Add BSEC node in stm32mp157c.dtsi.
Add BSEC node with some BSEC word definition and assignment (non-secure
and/or secure) for board stm32mp157c-ed1 and stm32mp157c-ev1.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32_bsec: OTP driver for stm32mp platforms

BSEC is a one time programmable (OTP) memory interface for stm32mp
SoCs. OTPs are grouped into 32bit words identified by a incremental ID
starting from 0

stm32_bsec: OTP driver for stm32mp platforms

BSEC is a one time programmable (OTP) memory interface for stm32mp
SoCs. OTPs are grouped into 32bit words identified by a incremental ID
starting from 0. Shadowed OTPs are loaded in a volatile memory yet
used as OTP values by the software.

The platform shall implement stm32mp_get_bsec_static_cfg() to
provide BSEC driver some information as the BSEC memory size and
its lower/upper threshold ID that split non-secure from secure OTPs.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Christophe Montaud <christophe.montaud@st.com>
Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Mathieu Belou <mathieu.belou@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-ls: updated conf.mk to set CFG_USER_TA_TARGETS

from R3.4.0 onwards, CFG_USER_TA_TARGETS = "ta_arm32 ta_arm64"
is set by default, if the CFG_USER_TA_TARGETS is not set.

Updating the conf.mk for

plat-ls: updated conf.mk to set CFG_USER_TA_TARGETS

from R3.4.0 onwards, CFG_USER_TA_TARGETS = "ta_arm32 ta_arm64"
is set by default, if the CFG_USER_TA_TARGETS is not set.

Updating the conf.mk for plat-ls devices to set the default
value to CFG_USER_TA_TARGETS as per platform.

Value to CFG_USER_TA_TARGETS can be overridden using the make cmd.

Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ci: travis: keep only code rule checks

The Travis build keeps timing out apparently due to a reduced download
speed compared with some time ago. It is not rare for the build to fail
in the initial "

ci: travis: keep only code rule checks

The Travis build keeps timing out apparently due to a reduced download
speed compared with some time ago. It is not rare for the build to fail
in the initial "repo sync" phase with the error message:

No output has been received in the last 10m0s, this potentially
indicates a stalled build or something wrong with the build itself.

Allowing more verbosity from "repo sync" could possibly avoid this
particular error, but then the second issue is that total build time
reaches 50 minutes very frequently which is the limit for Open Source
projects.

Since we have IBART to run xtest on HiKey, we can loose the test on
QEMU. Therefore, this commit keeps only the code rule checks in the
Travis script (checkpatch.pl and pycodestyle).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutils: isoc: implement more ctypes functions

Implement missing functions from ctypes.h.

Signed-off-by: Yunjong Jeong <yunjong@kaist.ac.kr>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

drivers: GICv3: Configure native secure interrupt

OP-TEE dispatcher registers with TF-A to handle EL1S interrupts
by design. OP-TEE should own the G1S interrupts in GICv3.
-gic_it_add() should resul

drivers: GICv3: Configure native secure interrupt

OP-TEE dispatcher registers with TF-A to handle EL1S interrupts
by design. OP-TEE should own the G1S interrupts in GICv3.
-gic_it_add() should result in configuring a given interrupt to
G1S instead of G0 for GICv3.
-G1S interrupts to be enabled at distributor interface.
-system interface register ICC_IGRPEN1_EL1 to be used to enable
G1S interrupts.

Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Reviewed-by: Soby Mathew <soby.mathew@arm.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add support for Hisilicon Hi3519AV100 DEMO board

Hi3519AV100 is a high-performance and low-power 4K
Smart IP Camera SoC designed for IP cameras, action cameras,
panoramic cameras, rear view mirrors,

Add support for Hisilicon Hi3519AV100 DEMO board

Hi3519AV100 is a high-performance and low-power 4K
Smart IP Camera SoC designed for IP cameras, action cameras,
panoramic cameras, rear view mirrors, and UAVs. Hi3519A
V100 introduces H.265/H.264 encoding and decoding, with
performance up to 4K x 2K@60 fps and 1080p@240 fps.
For more information:
http://www.hisilicon.com/en/Products/ProductList/Surveillance

This patch has been tested using the following step,
1. Patch the uboot and Linux kernel with OP-TEE support if required
2. build step:
(1) make CROSS_COMPILE=arm-himix200-linux- PLATFORM=hisilicon
PLATFORM_FLAVOR=hi3519av100_demo (OPTEE-OS build)

(2) make CROSS_COMPILE_HOST=arm-himix200-linux- (OPTEE_CLIENT build)

(3) cross_compile openssl and replace optee_test/host/libopenssl

(4) make CROSS_COMPILE_HOST=arm-himix200-linux-
CROSS_COMPILE_TA=arm-himix200-linux-
TA_DEV_KIT_DIR=../optee_os/out/arm-plat-hisilicon/export-ta_arm32
COMPILE_NS_USER=32 (OPTEE_TEST build)

3. mkimage -A arm -T kernel -O tee -C none -d tee.bin uTee.optee
4. Boot setting in uboot:
nand read 0x22007fc0 0x100000 0x400000; /* load kernel */
tftp 0x30000000 uTee.optee;bootm 0x30000000;
5. after Linux startup, run daemon tee-supplicant
6. run xtest

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>

show more ...

docs: Remove current docs and link to the new location

All current documentation has been transferred to a new git called
optee_docs [1]. The output from optee_docs will be rendered using Sphinx
and

docs: Remove current docs and link to the new location

All current documentation has been transferred to a new git called
optee_docs [1]. The output from optee_docs will be rendered using Sphinx
and hosted at optee.readthedocs.io [2]. The new documentation git will
also be part of the regular OP-TEE releases. For completeness, it will
also be included in our manifests making up a full OP-TEE developer
setup.

[1] https://github.com/OP-TEE/optee_docs
[2] https://optee.readthedocs.io

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: mm: simplify overlap check

Overlap region check could be simplified as below:
"(StartA <= EndB) and (StartB <= EndA)"

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Joakim Bech <joak

core: mm: simplify overlap check

Overlap region check could be simplified as below:
"(StartA <= EndB) and (StartB <= EndA)"

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...