core: crypto: introduce struct crypto_hash_ops

Uses struct crypto_hash_ops pointer in crypto context for hashes as a
glue layer instead of a switch(algo) in each crypto_hash_*() function.

Reviewed-

core: crypto: introduce struct crypto_hash_ops

Uses struct crypto_hash_ops pointer in crypto context for hashes as a
glue layer instead of a switch(algo) in each crypto_hash_*() function.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Add support for ultra96 ZynqMP board

Add flavor 'ultra96' to platform 'zynqmp'.
Redirect TEE console output to UART1.

Signed-off-by: Michael Grand <michael.grand.mg@gmail.com>
Acked-by: Jerome Fori

Add support for ultra96 ZynqMP board

Add flavor 'ultra96' to platform 'zynqmp'.
Redirect TEE console output to UART1.

Signed-off-by: Michael Grand <michael.grand.mg@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: Initialize the chip_id array when generating the SSK

In tee_fs_init_key_manager(), Secure Storage Key (SSK) is computed as
follow:

SSK = HMAC(HUK, message)
message := concatenate(chip

core: Initialize the chip_id array when generating the SSK

In tee_fs_init_key_manager(), Secure Storage Key (SSK) is computed as
follow:

SSK = HMAC(HUK, message)
message := concatenate(chip_id, static string)

chip_id is a 32-byte array but some tee_otp_get_die_id() implementation
may provide a smaller chip ID. Initialize the chip_id array to make
sure the remaining bytes do not contain garbage data. Without this
initialization, SSK may be inconsistent across power cycles generating
failures when reading back data from the secure storage.

Signed-off-by: Alexandre Jutras <alexandre.jutras@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libutee: fix deprecated TA_FLAG_REMAP_SUPPORT inline comment

Update inline comment and value for the deprecated TA flag
TA_FLAG_REMAP_SUPPORT.

Signed-off-by: Etienne Carriere <etienne.carriere@lina

libutee: fix deprecated TA_FLAG_REMAP_SUPPORT inline comment

Update inline comment and value for the deprecated TA flag
TA_FLAG_REMAP_SUPPORT.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

stm32_i2c: driver for STM32 I2C bus

Drivers is embedded upon CFG_STM32_I2C=y.

The driver main API functions are:
stm32_i2c_init() to initialize the device driver,
stm32_i2c_mem_{write|read}() for I

stm32_i2c: driver for STM32 I2C bus

Drivers is embedded upon CFG_STM32_I2C=y.

The driver main API functions are:
stm32_i2c_init() to initialize the device driver,
stm32_i2c_mem_{write|read}() for I2C memory mode transfer,
stm32_i2c_master_{transmit|receive}() for stream transfer.

2 helpers:
stm32_i2c_is_device_ready() checks the hardware I2C link,
stm32_i2c_get_setup_from_fdt() fills the I2C initialization
structure from the content found in the DT.

I2C driver instances do not register themselves to the PM
framework. Bus owner is responsible for calling the
stm32_i2c_{suspend|resume}() APIs when the owner device
executes a PM sequence.

stm32_i2c driver is dual licensed GPL-2.0/BSD-3-Clause.
The conversion algorithm for converting device tree bindings
timing information into STM32 I2C timings configuration
register is shared with other packages (Linux kernel, Arm
Trusted Firmware-A, U-Boot).

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Pascal Paillet <p.paillet@st.com>
Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutil: add UDIV_ROUND_NEAREST() macro

Default integer division rounds down. Here the interest is
to round to the nearest unsigned integer.

This is inspired from [1].

Link: [1] https://chromium.g

libutil: add UDIV_ROUND_NEAREST() macro

Default integer division rounds down. Here the interest is
to round to the nearest unsigned integer.

This is inspired from [1].

Link: [1] https://chromium.googlesource.com/chromiumos/platform/ec/+/master/include/util.h

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: ignore deprecated TA flags EXEC_DDR and USER_MODE

Commit 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and
USER_MODE") removes the requirement for user TAs to set the flags
TA_FLAG

core: ignore deprecated TA flags EXEC_DDR and USER_MODE

Commit 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and
USER_MODE") removes the requirement for user TAs to set the flags
TA_FLAG_EXEC_DDR (bit 0) and TA_FLAG_USER_MODE (bit 1), the rationale
being that they are meaningless in the current implementation.
The macros are re-defined to be zero to reflect the fact that they have
no use. But, instead of ignoring the previous values, the TEE core now
requires that bits 0 and 1 must *not* be set. This is a problem because
it needlessly breaks backward compatibility. A TA built against OP-TEE
3.0.0 will not work with 3.1.0 or later:

E/TC:? 0 tee_ta_init_user_ta_session:1040 Invalid TA flag(s) 0x3

This commit changes the acceptable flags mask (TA_FLAGS_MASK) to
include the previous EXEC_DDR and USER_MODE bits, thus restoring
backward compatibility.

Fixes: 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and USER_MODE")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: better align output of TA dump with many or big regions

With the introduction of shared libutee/libutils/libmbedtls etc., it
is not uncommon for a TA to have more than 10 memory regions. When

core: better align output of TA dump with many or big regions

With the introduction of shared libutee/libutils/libmbedtls etc., it
is not uncommon for a TA to have more than 10 memory regions. When this
happens, the crash dump output is not properly aligned.

Similarly, since there is no width specifier when we print the region
size, misalignments can occur.

This commit makes the output look good for up to 100 regions of up to
16 MiB in size.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Allow building libutils etc. as shared libraries

When CFG_ULIBS_SHARED=y (default n), build libutils, libmpa/libmbedtls
and libutee as shared libraries (.so). The static archives (.a) are
still prod

Allow building libutils etc. as shared libraries

When CFG_ULIBS_SHARED=y (default n), build libutils, libmpa/libmbedtls
and libutee as shared libraries (.so). The static archives (.a) are
still produced. The linker uses shared libraries by default when
present so TAs just need to be re-built to use the shared libraries.

For the time being, in-tree TAs are always linked statically for
practical reasons. Indeed, in-tree TAs (such as ta/avb) are likely
to be used as "early TAs". If such a TA was linked against shared
libraries, then those libraries would need to be installed in the
"early TA" area, too. While this works fine technically, it requires
some more steps in the Makefiles to make sure the proper dependencies
are installed and also it would mean that those libraries take
precedence over the ones potentially installed in the REE FS etc.
In other words, it would raise questions that we do not want nor need
to address now.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: elf_load: R_ARM_ABS32/R_AARCH64_ABS64 relocations against undefined symbol

The symbol referenced by a R_ARM_ABS32 or R_AARCH64_ABS64 relocation
may very well be external to the binary being re

core: elf_load: R_ARM_ABS32/R_AARCH64_ABS64 relocations against undefined symbol

The symbol referenced by a R_ARM_ABS32 or R_AARCH64_ABS64 relocation
may very well be external to the binary being relocated (for example,
defined in a shared library). In this case, the section table index for
the symbol is SHN_UNDEF and we need to perform process-wide symbol
resolution.

This fixes an issue I found when linking a TA against a shared version
of libutee (this configuration is introduced in a later commit). In this
case, ta_head::entry is set to __utee_entry which is in libutee.so,
hence undefined in the TA binary.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

User TA: add --as-needed to link flags

Add link flag '--as-needed' to avoid adding dependencies onto shared
libraries that are not actually used. This becomes particularly useful
when we build the b

User TA: add --as-needed to link flags

Add link flag '--as-needed' to avoid adding dependencies onto shared
libraries that are not actually used. This becomes particularly useful
when we build the base user libraries (libutils, libmpa and libmbedtls) as
shared objects. Without the flag, and because all libraries are passed to
the linker by default, all TAs would need to map all the libraries at
runtime resulting in a waste of memory.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

mk/lib.mk: add support for producing shared user libraries

This commit adds the infrastructure to build libutils, libmpa/
libmbedtls etc. as shared objects (.so).

Signed-off-by: Jerome Forissier <j

mk/lib.mk: add support for producing shared user libraries

This commit adds the infrastructure to build libutils, libmpa/
libmbedtls etc. as shared objects (.so).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: cleanup generic traces

Remove useless newline character in few generic debug traces.

Remove argument __func__ from a FMSG trace since already
output by macro FMSG().

Remove error trace from

core: cleanup generic traces

Remove useless newline character in few generic debug traces.

Remove argument __func__ from a FMSG trace since already
output by macro FMSG().

Remove error trace from syscall_storage_obj_read() that, prior
this change, output failing error code from storage read()
handler. This is useless and not done for other storage handlers
return code.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core/generic_boot: consistent DTB info traces

Use IMSG() traces when external and embedded DTB are tested.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissie

core/generic_boot: consistent DTB info traces

Use IMSG() traces when external and embedded DTB are tested.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core/generic_boot: tone down trace for missing external DTB

Change trace message indicating absence of external DTB
from error level to debug level. Implementation and comment
clearly state the conf

core/generic_boot: tone down trace for missing external DTB

Change trace message indicating absence of external DTB
from error level to debug level. Implementation and comment
clearly state the configuration is fully legitimate.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Compile user TAs with -fpic rather than -fpie

TA source files are compiled with the -fpie GCC flag in order to
generate a Position Independent Executable. This is not suitable to
produce a shared li

Compile user TAs with -fpic rather than -fpie

TA source files are compiled with the -fpie GCC flag in order to
generate a Position Independent Executable. This is not suitable to
produce a shared library as introduced by commit f8896d1301fc ("TA dev
kit: add support for creating shared libraries"). -fpic should be used
instead. Here is what the GCC man page has to say on these flags:

-fpic
Generate position-independent code (PIC) suitable for use in a
shared library [...]

-fpie
-fPIE
These options are similar to -fpic and -fPIC, but generated
position independent code can be only linked into executables.

So, it is quite clear that -fpie is wrong for a shared library. It is
not very clear however if -fpic can be used when generating code for an
executable. I think it can, and there is a bug report against the GCC
documentation that would confirm this [1]. Therefore we can simply use
-fpic in all cases. This is quite convenient because we currently make
no difference in the compile flags when we are building an executable,
a static library or a shared library.

The difference between -fpie and -fpic has to do with the kinds of
relocations that the compiler is allowed to emit. I stumbled upon this
issue when experimenting with shared libraries and the code proposed
by Jens to share read-only pages between TAs [2]. In my test case, a
shared library already loaded by one TA, is used by another TA. During
the load phase of the second TA, the TEE core crashed with a data-abort
(write permission fault) when trying to apply an R_ARM_REL32 relocation
to some literal pool data in the .text section of the library. The
whole .text being mapped read-only, there should be no relocation to do
here. And indeed the cause was the wrong flag (-fpie) used when
compiling the shared library.

Link: [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70419
Link: [2] https://github.com/OP-TEE/optee_os/pull/2801
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
CC: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960 32 & 64-bit TA)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1 Armv7)

show more ...

core: replace TAF with TA invocation in inline comments

TAF stands for Trusted Application Function. It is deprecated
since a while. This change replaces the few remaining occurrences
with TA invoca

core: replace TAF with TA invocation in inline comments

TAF stands for Trusted Application Function. It is deprecated
since a while. This change replaces the few remaining occurrences
with TA invocation.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: use PTA as acronym for pseudo TA

Make inline comments and trace messages more consistent by
using PTA as acronym for pseudo TA, rather than using pTA, PTA
and pta at various places.

Signed-of

core: use PTA as acronym for pseudo TA

Make inline comments and trace messages more consistent by
using PTA as acronym for pseudo TA, rather than using pTA, PTA
and pta at various places.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add inline description of TEE session field user_ctx

Replace inline comment ??? with an appropriate description of
the user_ctx field which points the the caller user TA context
in case a pseu

core: add inline description of TEE session field user_ctx

Replace inline comment ??? with an appropriate description of
the user_ctx field which points the the caller user TA context
in case a pseudo TA is invoked from the user TA client.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta/gprof.c: remove redundant access check

There is no need to call tee_mmu_check_access_rights() to check the
parameters of gprof_start_pc_sampling(), because they have been checked
already b

core: pta/gprof.c: remove redundant access check

There is no need to call tee_mmu_check_access_rights() to check the
parameters of gprof_start_pc_sampling(), because they have been checked
already by utee_param_to_param() in core/tee/tee_svc.c.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: REE FS TAs: add option to verify signature before processing

Adds configuration flag CFG_REE_FS_TA_BUFFERED, default enabled.

A new TA store is introduced which depends on the TEE FS TA store

core: REE FS TAs: add option to verify signature before processing

Adds configuration flag CFG_REE_FS_TA_BUFFERED, default enabled.

A new TA store is introduced which depends on the TEE FS TA store to
load the whole binary into a temporary buffer in secure DDR and
authenticate it before being processed further.

This reduces the attack surface of the TEE core in case of a
vulnerability in the ELF loader, at the expense of increased memory
usage at load time.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [3.6]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

mk/config.mk: remove untrue comment

The comment stating that the REE filesystem is the only possible storage
to load Trusted Applications from is not true anymore. As described in
documentation/opte

mk/config.mk: remove untrue comment

The comment stating that the REE filesystem is the only possible storage
to load Trusted Applications from is not true anymore. As described in
documentation/optee_design.md, two other options are possible (early TAs
and secure storage). Therefore, remove the comment.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit remove

libutils: remove buf_compare_ct()

Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.

This commit removes buf_compare_ct(). A compatibility wrapper is kept
in <string_ext.h> to avoid knowingly breaking the build of any TA that
may use it.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison

libutee: TEE_MemCompare(): use constant time algorithm

TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison is not constant time for a given buffer size can reveal
information on the buffer content and lead to side-channel attacks.
Although the GlobalPlatform TEE Internal Core API specification says
nothing about this timing aspect, it is unsafe not to propose a constant
time implementation to TAs. A member of the GP specification working
group confirmed in an informal discussion.

Therefore, replace memcmp() with consttime_memcmp() for constant time
comparison. If a TA needs the fastest possible buffer comparison it can
call the C library function memcmp() (from <string.h>), which we provide
in libutils.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [3.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutils: Import isc_tsmemcmp() from NTP as consttime_memcmp()

This patch imports a constant-time byte sequence comparison function
from the NTP source tree [1]. Contrary to our buf_compare_ct() fun

libutils: Import isc_tsmemcmp() from NTP as consttime_memcmp()

This patch imports a constant-time byte sequence comparison function
from the NTP source tree [1]. Contrary to our buf_compare_ct() function,
which has only two possible outcomes (zero or non-zero), the new function
is a direct replacement for memcmp() because it returns three possible
states (< 0, 0, > 0).

Link: [1] http://bk.ntp.org/ntp-stable/lib/isc/tsmemcmp.c
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...