rpmb: check return value from essiv call

An error in the function essiv, as for example memory allocation failure
could result in an uninitialized IV, which means that the IV used for
en/decryption

rpmb: check return value from essiv call

An error in the function essiv, as for example memory allocation failure
could result in an uninitialized IV, which means that the IV used for
en/decryption would consist of data previously stored at this memory
location. This could eventually corrupt the filesystem.

Fixes: "Return value of cryptographic function is unchecked" by Riscure.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory poo

core: clear the entire TA area

Previously we cleared (memset to zero) the size corresponding to code
and data segments, however the allocation for the TA is made on the
granularity of the memory pool, meaning that we did not clear all memory
and because of that we could potentially leak code and data of a
previous loaded TA.

Fixes: OP-TEE-2018-0006: "Potential disclosure of previously loaded TA
code and data"

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7, v8)
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reported-by: Riscure <inforequest@riscure.com>
Reported-by: Alyssa Milburn <a.a.milburn@vu.nl>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

lockdep: fix dup_call_stack()

dup_call_stack() does not properly deal with the sentinel. Fix it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wikl

lockdep: fix dup_call_stack()

dup_call_stack() does not properly deal with the sentinel. Fix it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

trace: fix core id print if in non-atomic context

Make "?" print repetitive equivalent to number of digits needed to display
core id rather than extra spaces as it causes symbolize.py script parsing

trace: fix core id print if in non-atomic context

Make "?" print repetitive equivalent to number of digits needed to display
core id rather than extra spaces as it causes symbolize.py script parsing
failure for call stack addresses in case number of cores is greater than
10.

Also change symbolize.py to detect repetitive "?".

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Update revision for release tag 3.4.0-rc1

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

mbedtls: TEE_BigIntMul(): use temporary

mbedtls_mpi_mul_mpi() checks the allocated size of the output number
before starting to multiply the numbers. It makes a conservative guess
by requiring the r

mbedtls: TEE_BigIntMul(): use temporary

mbedtls_mpi_mul_mpi() checks the allocated size of the output number
before starting to multiply the numbers. It makes a conservative guess
by requiring the result to be at least as large as the sum of the sizes
of the input numbers. For instance, if A fits in one "limb" and B fits
in two, then the result is expected to have nblimbs = 3 at least.
This is sometimes too restrictive. Consider A = 1 (can be represented
with nblimbs == 1 32-bit words) and B = 0x0FFFFFFFFFFFFFFF (fits in a
bignum with nblimbs == 2 32-bit words). A * B is equal to B and fits
in 2 limbs, but the current code requires 3.
This patch fixes the problem by allocating a big enough temporary
result.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mbedtls: fix memory leak in mpi_miller_rabin()

8ff963a60211 ("mbedtls: fix memory leak in mpi_miller_rabin()") from
branch import/mbedtls-2.6.1

Fixes memory leak in mpi_miller_rabin() that occurs w

mbedtls: fix memory leak in mpi_miller_rabin()

8ff963a60211 ("mbedtls: fix memory leak in mpi_miller_rabin()") from
branch import/mbedtls-2.6.1

Fixes memory leak in mpi_miller_rabin() that occurs when the function has
failed to obtain a usable random 'A' 300 turns in a row.

Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with Glo

hikey960: set CFG_CORE_BGET_BESTFIT=y

Enables the "best fit" algorithm for core memory allocation on HiKey960.
This avoids occasional out-of-memory errors when running the full xtest
suite (with GlobalPlatform tests).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mempool: fix race in get_pool()

Fixes a race in get_pool() which could leave the pool with zero refences
but still owned by the last thread using the pool.

Some performance number on Hikey with def

mempool: fix race in get_pool()

Fixes a race in get_pool() which could leave the pool with zero refences
but still owned by the last thread using the pool.

Some performance number on Hikey with default configuration:
github/master (edbb89f, before this commit):

4006 real 1m 41.11s
4007 real 1m 14.51s
4008 real 0m 0.13s
4009 real 1m 5.68s

Revert "mempool: optimize reference counting", before this commit:
4006 real 3m 27.78s
4007 real 0m 50.03s
4008 real 0m 0.13s
4009 real 2m 24.07s

With this commit, two runs:
4006 real 1m 37.51s
4007 real 0m 56.67s
4008 real 0m 0.09s
4009 real 1m 3.18s

4006 real 1m 37.61s
4007 real 0m 35.32s
4008 real 0m 0.13s
4009 real 1m 3.15s

Numbers are gathered with this script:
for a in 4006 4007 4008 4009 ; do \
echo -n $a " " >> time.txt ;\
time -o time.txt.tmp xtest -l 15 $a || break ;\
grep real time.txt.tmp >> time.txt
done
cat time.txt

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

atomic.h: add atomic_{load,store}_int()

Adds atomic_load_int() and atomic_store_int().

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.or

atomic.h: add atomic_{load,store}_int()

Adds atomic_load_int() and atomic_store_int().

Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

gen_hashed_bin.py: open file in binary mode

By default Python tries to open files in text mode. This is
okay for python2, because it uses 8-bit encoding.
But python3 tries to decode file as utf-8 en

gen_hashed_bin.py: open file in binary mode

By default Python tries to open files in text mode. This is
okay for python2, because it uses 8-bit encoding.
But python3 tries to decode file as utf-8 encoded and fails,
because it is a binary file.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissie

stm32mp1: init console from DTB

Get console configuration from embedded DTB when available.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_uart: API to init console bus from a DTB

Introduce stm32_uart_init_from_dt_node() that initializes an UART
device from the given DT node. The function returns the reference
to the created UART

stm32_uart: API to init console bus from a DTB

Introduce stm32_uart_init_from_dt_node() that initializes an UART
device from the given DT node. The function returns the reference
to the created UART instance.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: early console configuration

This change allows the OP-TEE configuration to select the UART
instance used as OP-TEE console. This change also prepares
a next step where the console is selec

stm32mp1: early console configuration

This change allows the OP-TEE configuration to select the UART
instance used as OP-TEE console. This change also prepares
a next step where the console is selected from device tree
directives.

Map all secure and non-secure UARTs, only the expected virtual
areas will be accessed at runtime.

Value 23 chosen for CFG_MMAP_REGIONS is more than required. As
later changes will introduce new drivers, this value is expected
affordable (memory footprint) and allow new drivers to land without
needed to increment a static value.

CFG_STM32_EARLY_CONSOLE_UART also to specify the hard coded UART
interface used for early trace console.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32mp1: minor base address cleanup

Add few comments in platform_config.h to macros split definition
by topics.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech

stm32mp1: minor base address cleanup

Add few comments in platform_config.h to macros split definition
by topics.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

Thi

stm32_uart: rename exported structure and add secure flag

Rename structure console_pdata into stm32_uart_pdata as it will
be exported over the platform and should not use such a generic
naming.

This change adds a secure flag to the UART device instance for
used to get the appropriate virtual address when required.
An UART bus could be used by the secure world in secure mode or
in non-secure mode. A bus to a secure element likely mandates
secure hardening of the UART. A debug console over a non-secure
UART link may require the UART resources to be assigned to the
non-secure world.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: dt: introduce _fdt_fill_device_info()

_fdt_fill_device_info() gets some generic properties from a given
node in a single always successful sequence.

Retrieved device information from the DT:

core: dt: introduce _fdt_fill_device_info()

_fdt_fill_device_info() gets some generic properties from a given
node in a single always successful sequence.

Retrieved device information from the DT:
- The status/secure-status state as per DT_STATUS_*,
- The first register base address found or DT_INFO_INVALID_REG (zero).
If there are several register base addresses others are ignored.
- The first clock identifier found or DT_INFO_INVALID_CLOCK (negative).
- This first reset identifier found or DT_INFO_INVALID_RESET (negative).

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: more flexible console init from DT

Introduce get_console_node_from_dt() that collects the references
to the console configuration in the DTB.

Existing configure_console_from_dt() relies on it

core: more flexible console init from DT

Introduce get_console_node_from_dt() that collects the references
to the console configuration in the DTB.

Existing configure_console_from_dt() relies on it when initiating
the console from the early core inits based on registered matching
device tables.

get_console_node_from_dt() allows a driver probed from the driver
initialization sequence (i.e registered from driver_init()) to
get the console DT directive.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

synquacer: Enable rng-pta as kernel device

Add TA_FLAG_DEVICE_ENUM flag to rng-pta header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

synquacer: Enable rng-pta as kernel device

Add TA_FLAG_DEVICE_ENUM flag to rng-pta header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: Add device pseudo TA

This pseudo TA enumerates OP-TEE pseudo TAs which can act as devices/
services for Linux TEE bus driver. For differentiation of such devices,
added TA_FLAG_DEVICE_ENU

core: pta: Add device pseudo TA

This pseudo TA enumerates OP-TEE pseudo TAs which can act as devices/
services for Linux TEE bus driver. For differentiation of such devices,
added TA_FLAG_DEVICE_ENUM optional flag in pseudo TA header.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pseudo_ta: Pass null memref as valid param

GlobalPlatform spec allows null memory reference parameters as valid.
So update copy_in_params for pseudo_ta accordingly.

Also add check for mobj pt

core: pseudo_ta: Pass null memref as valid param

GlobalPlatform spec allows null memory reference parameters as valid.
So update copy_in_params for pseudo_ta accordingly.

Also add check for mobj ptr being NULL before dereference as it causes
a data abort in case REE has passed NULL buffer ptr with size > 0 as
memref param.

Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: fix thread_excp_vect_end and literal pool

The two symbols thread_excp_vect and thread_excp_vect_end are used to
mark the part of the privileged code that still to be mapped in order to
transit

core: fix thread_excp_vect_end and literal pool

The two symbols thread_excp_vect and thread_excp_vect_end are used to
mark the part of the privileged code that still to be mapped in order to
transition between user mode and privileged mode when compiled with
CFG_CORE_UNMAP_CORE_AT_EL0=y.

Prior to this patch it was assumed that thread_excp_vect_end would mark
the end of the thread_excp_vect() assembly function including literals
emitted by the assembler. This assumption was wrong and an extra .pool
directive is added before the thread_excp_vect_end to guarantee that all
literals will be included in the section starting with thread_excp_vect
and ending with thread_excp_vect_end.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Reported-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm: imx: add iMX7D PICO MBL board definition

This patch adds an OP-TEE port for the i.MX7D PICO for the MBED Linux OS
boot flow.

BootROM -> ATF/BL2
ATF -> FIP {u-boot, OPTEE}
OPTEE -> {popul

arm: imx: add iMX7D PICO MBL board definition

This patch adds an OP-TEE port for the i.MX7D PICO for the MBED Linux OS
boot flow.

BootROM -> ATF/BL2
ATF -> FIP {u-boot, OPTEE}
OPTEE -> {populates DTB overlay}
u-boot -> FIT {DTB, Kernel, initramfs}
Merges DTB and OPTEE DTB-overlay
Linux

CFG_NS_ENTRY_ADDR = 0x87800000 is the entry point of u-boot
CFG_DT_OVERLAY = y adds DTB overlay fragments to the passed DTB

make PLATFORM=mx7dpico_mbl

Signed-off-by: Jun Nie <jun.nie@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

show more ...

cscope: do not exclude generated files

The build directory contains some generated source files, such as
include/generated/conf.h, core/include/generated/arm32_sysreg.{h,S} and
core/include/generate

cscope: do not exclude generated files

The build directory contains some generated source files, such as
include/generated/conf.h, core/include/generated/arm32_sysreg.{h,S} and
core/include/generated/asm-defines.h. Let cscope parse them and only
exclude the files that are copied into the export-ta_* directories (TA
dev kit).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

probe_max_it overwrite the value of GICD_ISENABLER

probe_max_it save the original value of GICD_ISENABLER
and write 0xffffffff into GICD_ISENABLER to probe
the largest interrupt number.

Instead of

probe_max_it overwrite the value of GICD_ISENABLER

probe_max_it save the original value of GICD_ISENABLER
and write 0xffffffff into GICD_ISENABLER to probe
the largest interrupt number.

Instead of writing the original GICD_ISENABLER value
into GICD_ISENABLER, probe_max_it write the value into GICD_ICENABLER
and cause the original GICD_ISENABLER value bit flipping.

Signed-off-by: Lin Huang-Sen <r94922102@gmail.com>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...