plat-bcm: Add Broadcom ARMv8-A SoC ns3

Add base platform support for Broadcom ns3 SoC.
Broadcom ns3 is ARMv8-A based SoS with Cortex-A72 cores
and GICv3. It is configured to run with TF-A.

Signed-o

plat-bcm: Add Broadcom ARMv8-A SoC ns3

Add base platform support for Broadcom ns3 SoC.
Broadcom ns3 is ARMv8-A based SoS with Cortex-A72 cores
and GICv3. It is configured to run with TF-A.

Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Reviewed-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com>
Reviewed-by: Scott Branden <scott.branden@broadcom.com>
Reviewed-by: Pramod Kumar <pramod.kumar@broadcom.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Add documentation/external_libraries.rst

Document how larger external libraries are imported into the OP-TEE
repository and how they are maintained. Although this process has been
applied in parts f

Add documentation/external_libraries.rst

Document how larger external libraries are imported into the OP-TEE
repository and how they are maintained. Although this process has been
applied in parts for mbed TLS, it is still somewhat theoretical and may
need to be amended in the future.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

mk/aosp_optee.mk: remove cp -u option

AOSP's Toybox's version of cp doesn't support the -u option

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Yongqin Liu <yongqin.liu@linar

mk/aosp_optee.mk: remove cp -u option

AOSP's Toybox's version of cp doesn't support the -u option

Signed-off-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Update CHANGELOG.md for 3.4.0

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Akshay Bhat <akshay.bhat@timesys.com> (Atmel SAM)
Tested-by: Bryan O'Donoghue <bryan.odonoghue@

Update CHANGELOG.md for 3.4.0

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Akshay Bhat <akshay.bhat@timesys.com> (Atmel SAM)
Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> (i.MX7Solo WaRP7)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (b2260, GP)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1, GP)
Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org> (Poplar)
Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org> (RPi3)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Hikey)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960, GP)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMUv8)
Tested-by: Rouven Czerwinski <r.czerwinski@pengutronix.de> (mx6qsabresd)
Tested-by: Sumit Garg <sumit.garg@linaro.org> (Developerbox)
Tested-by: Victor Chong <victor.chong@linaro.org> (HiKey960 AOSP P, HiKey620 AOSP P)
Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (RCAR H3)
Tested-by: Ying-Chun Liu (PaulLiu) <paul.liu@linaro.org> (sunxi-bpi_zero)

show more ...

core: arm32: fix gicv3 fiq race

Fixes a race where FIQ isn't masked in the abort handler which results
lost register content and invalid processing of the abort when resumed.

Fixes: 18901324e00a ("

core: arm32: fix gicv3 fiq race

Fixes a race where FIQ isn't masked in the abort handler which results
lost register content and invalid processing of the abort when resumed.

Fixes: 18901324e00a ("Support ARM GICv3 mode")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_storage_obj_create(): fix a memory leak

Free the o->attr in the error handling part.

Fixes: https://github.com/OP-TEE/optee_os/issues/2738
Signed-off-by: Oliver Chiang <rockerfeynman@

core: syscall_storage_obj_create(): fix a memory leak

Free the o->attr in the error handling part.

Fixes: https://github.com/OP-TEE/optee_os/issues/2738
Signed-off-by: Oliver Chiang <rockerfeynman@gmail.com>
[jf: do not set o->attr = 0; move tee_obj_free(o) under if (o) { ... }]
[jf: add spaces to subject; use URL in Fixes: tag]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)

show more ...

plat-vexpress: disable uart IT with TF-A and GICv3

Disables uart interrupts if compiled for TF-A and GICv3 since TF-A
doesn't know which interrupts OP-TEE will handle.

Acked-by: Jerome Forissier <j

plat-vexpress: disable uart IT with TF-A and GICv3

Disables uart interrupts if compiled for TF-A and GICv3 since TF-A
doesn't know which interrupts OP-TEE will handle.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: svc_cryp: fix truncated buffer length

Fixes truncated buffer length in multiple crypto syscalls. The buffer
length is truncated on 32-bit systems because a size_t can't hold a
uint64_t which i

core: svc_cryp: fix truncated buffer length

Fixes truncated buffer length in multiple crypto syscalls. The buffer
length is truncated on 32-bit systems because a size_t can't hold a
uint64_t which is use to carry the buffer length.

Fixes: "Truncated buffer length in crypto system calls (x4)" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: svc: always check ta parameters

Always check TA parameters from a user TA. This prevents a user TA from
passing invalid pointers to a pseudo TA.

Fixes: OP-TEE-2018-0007: "Buffer checks missin

core: svc: always check ta parameters

Always check TA parameters from a user TA. This prevents a user TA from
passing invalid pointers to a pseudo TA.

Fixes: OP-TEE-2018-0007: "Buffer checks missing when calling pseudo
TAs".

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Mac

core: entry_std: check value of num_params

Checks value of num_params against OPTEE_MSG_MAX_NUM_PARAMS before using
it in OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: optee_msg.h: define OPTEE_MSG_MAX_NUM_PARAMS

Defines OPTEE_MSG_MAX_NUM_PARAMS to be used with the macro
OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for check

core: optee_msg.h: define OPTEE_MSG_MAX_NUM_PARAMS

Defines OPTEE_MSG_MAX_NUM_PARAMS to be used with the macro
OPTEE_MSG_GET_ARG_SIZE() in order to avoid unexpected wrapping.

Fixes: "Macro for checking size of parameter buffer can overflow" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range i

core: tee_mmu_check_access_rights() check all pages

Prior to this patch tee_mmu_check_access_rights() checks an address in
each page of a supplied range. If both the start and length of that
range is unaligned the last page in the range is sometimes not checked.
With this patch the first address of each page in the range is checked
to simplify the logic of checking each page and the range and also to
cover the last page under all circumstances.

Fixes: OP-TEE-2018-0005: "tee_mmu_check_access_rights does not check
final page of TA buffer"

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: Initialize tmp_va_buf to prevent a TOCTOU attack

tmp_va_buf will be used if caller parameters points to private TA
memory. However, after doing the syscall to invoke the command it could
be tha

svc: Initialize tmp_va_buf to prevent a TOCTOU attack

tmp_va_buf will be used if caller parameters points to private TA
memory. However, after doing the syscall to invoke the command it could
be that REE has changed caller parameters to point to regular shared
memory and that could potentially open for tmp_va_buf leaking old
information on the stack.

Mitigate this by simplify tee_svc_update_out_param() by only taking
tmp_buf_va[n] into account to tell if a temporary buffer is used or not.

Note that tee_svc_copy_to_user() will make sure that only data writeable
by the user TA can be updated.

Fixes: "Double fetch can be used to copy from uninitialized pointer" as
reported by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range t

core: ensure that supplied range matches MOBJ

In set_rmem_param() if the MOBJ is found by the cookie it's verified to
represent non-secure shared memory. Prior to this patch the supplied
sub-range to be used of the MOBJ was not checked here and relied on
later checks further down the chain. Those checks seems to be enough
for user TAs, but not for pseudo TAs where the size isn't checked.

This patch adds a check for offset and size to see that they remain
inside the memory covered by the MOBJ.

Fixes: OP-TEE-2018-0004: "Unchecked parameters are passed through from
REE".

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: fix NULL pointer dereference during storage enumeration

In syscall_storage_next_enum(..) when 'tee_obj o' isn't successfully
initialized, then 'o->pobj->fops' is a NULL pointer and therefore we

svc: fix NULL pointer dereference during storage enumeration

In syscall_storage_next_enum(..) when 'tee_obj o' isn't successfully
initialized, then 'o->pobj->fops' is a NULL pointer and therefore we
need to check for that before trying to dereference it in the clean-up
part of the function.

Fixes: "Null pointer dereference in storage system call" as reported by
Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for overflow when allocating a BigNum buffer

To avoid overflow errors and copy more data than being allocated we must
check for overflow when allocating a buffer for the bignum-buffer whi

svc: check for overflow when allocating a BigNum buffer

To avoid overflow errors and copy more data than being allocated we must
check for overflow when allocating a buffer for the bignum-buffer which
is 8 times larger than the binary buffer.

Fixes: "Integer overflow in crypto system call" as reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: avoid TOCTOU issue in syscall_hash_final

When checking that the supplied buffer is big enough to fit the computed
digest one should use the local copy 'hlen' instead of 'hash_len' to
prevent th

svc: avoid TOCTOU issue in syscall_hash_final

When checking that the supplied buffer is big enough to fit the computed
digest one should use the local copy 'hlen' instead of 'hash_len' to
prevent that a malicious attacker in REE have changed the size of
'hash_len' after it has been copied to the local buffer.

(TOCTOU: Time Of Check To Time of Use)

Fixes: "Double-fetch of length in syscall_hash_final (x2)" as reported
by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for allocation overflow in crypto calls part 2

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it migh

svc: check for allocation overflow in crypto calls part 2

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0011: "Integer overflow in crypto system calls (x2)"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for allocation overflow in crypto calls

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead

svc: check for allocation overflow in crypto calls

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0010: "Integer overflow in crypto system calls (x2)"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

svc: check for allocation overflow in syscall_cryp_obj_populate

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that i

svc: check for allocation overflow in syscall_cryp_obj_populate

Without checking for overflow there is a risk of allocating a buffer
with size smaller than anticipated and as a consequence of that it might
lead to a heap based overflow with attacker controlled data written
outside the boundaries of the buffer.

Fixes: OP-TEE-2018-0009: "Integer overflow in crypto system calls"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

fs: prevent out of place write when no data

Fixes: "Uninitialized return value returned if len equals 0" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by:

fs: prevent out of place write when no data

Fixes: "Uninitialized return value returned if len equals 0" as reported
by Riscure.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add missing return(s) in shdr_alloc_and_copy

Fixes: "Incorrect error handling in shdr_alloc_and_copy (x2)" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-b

core: add missing return(s) in shdr_alloc_and_copy

Fixes: "Incorrect error handling in shdr_alloc_and_copy (x2)" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the p

rpc: ensure that TA fits in allocated memory

When the TEE is about to load a TA it first asks the REE for the size of
the TA in question. Next it allocates memory for this based on the size
in the previous query. However, there is no guarantee that the REE
actually allocates the requested size. A compromised REE could for
example modify the RPC request. This means that even though an
allocation is successful, we still need to check that the size of the
allocated buffer has room to fit the entire TA we are about to load.

Fixes: "REE provided size not checked when loading TAs" as reported by
Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Load

tadb: set error condition on TA size mismatch

If tee_tadb_ta_read(..) is successful in secstor_ta_open(..), then we
must set an error code manually if the size check right after fails.

Fixes: "Loading from secure storage returns success with uninitialized
pointer" as reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the

core: initialize saved_attr

The saved_attr variable is used in the cleanup condition in the
entry_open_session(..) function. The function cleanup_params(..)
conditionally free up memory based on the values from saved_attr and
therefore saved_attr must be initialized with a proper value in case the
functions that are supposed to fill in correct attributes are failing.

Fixes: "Use of uninitialized variable in REE exposed function" as
reported by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...