core: instrument mutexes with lockdep

Implements lockdep hooks for mutexes. CFG_LOCKDEP is disabled by default,
because it causes a noticeable slowdown (plain xtest runs 2-4x slower).

Tested-by: Je

core: instrument mutexes with lockdep

Implements lockdep hooks for mutexes. CFG_LOCKDEP is disabled by default,
because it causes a noticeable slowdown (plain xtest runs 2-4x slower).

Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, HiKey960)
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

unwind: remove debug messages

The debug messages "vsp out of bounds" (arm32) or "FP out of bounds"
(arm64) are shown quite often when call stacks are captured (observed when
running the lockdep algo

unwind: remove debug messages

The debug messages "vsp out of bounds" (arm32) or "FP out of bounds"
(arm64) are shown quite often when call stacks are captured (observed when
running the lockdep algorithm on mutexes for instance). The call stacks
look fine nonetheless. So, remove these traces.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: introduce lockdep algorithm

This commit introduces an algorithm that may be used to detect improper
usage of locks at runtime. It can detect two kinds errors:

1. A thread tries to release a

core: introduce lockdep algorithm

This commit introduces an algorithm that may be used to detect improper
usage of locks at runtime. It can detect two kinds errors:

1. A thread tries to release a lock it does not own,
2. A thread tries to aquire a lock and the operation could *potentially*
result in a deadlock.

The potential deadlock detection assumes that the code adheres to a strict
locking hierarchy, in other word, that there is a partial ordering on the
locks so that there can be no situation where circular waits can occur. To
put things simply, any two locks should be acquired in the same order in
the same thread. This addresses the following case:

[Thread #1] [Thread #2]

lock(A)
lock(B)
lock(B)
lock(A) <-- deadlock!
...

The algorithm builds the lock hierarchy dynamically and reports as soon as
a violation is detected.

The interface is made of two functions: lockdep_lock_acquire() and
lockdep_lock_release(), which are meant to be introduced in the
implementation of the actual lock objects. The "acquire" hook tells the
algorithm that a particular lock is about to be requested by a particular
thread, while the "release" hook is meant to be called before the lock is
actually released. If an error is detected, debugging information is sent
to the console, and panic() is called. The debugging information includes
the lock cycle that was detected (in the above example, {A, B}), as well
as the call stacks at the points where the locks were acquired.

The good thing with such an instrumentation of the locking code is that
there is no need to wait for an actual deadlock to occur in order to
detect potential problems. For instance, the timing of execution in the
above example could be different but the problem would still be detected:

[Thread #1] [Thread #2]

lock(A)
lock(B)
unlock(B)
unlock(A)
lock(B)
lock(A) <-- error!

A pseudo-TA is added for testing (pta/core_lockdep_tests.c).

This code is based on two sources:
- A presentation called "Dl-Check: dynamic potential deadlock detection
tool for Java programs" [1], although the somewhat complex MNR algorithm
for topological ordering of a DAG was not used;
- A depth-first search algorithm [2] was used instead.

Link: [1] https://www.slideshare.net/IosifItkin/tmpa2017-dlcheck-dynamic-potential-deadlock-detection-tool-for-java-programs
Link: [2] https://en.wikipedia.org/wiki/Topological_sorting#Depth-first_search
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutils: sys/queue.h: add STAILQ_FOREACH_SAFE()

Import macro STAILQ_FOREACH_SAFE from FreeBSD.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@l

libutils: sys/queue.h: add STAILQ_FOREACH_SAFE()

Import macro STAILQ_FOREACH_SAFE from FreeBSD.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

scripts/symbolize.py: be more specific when matching stack addresses

Use a more specific regular expression for call stack addresses so that
the script will not attempt to resolve any hexadecimal nu

scripts/symbolize.py: be more specific when matching stack addresses

Use a more specific regular expression for call stack addresses so that
the script will not attempt to resolve any hexadecimal number encountered
in the middle of a message.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add unw_get_kernel_stack()

Adds a function to obtain the current kernel call stack as an array.
This is useful for debugging code which may need to record the call stack
at various point of th

core: add unw_get_kernel_stack()

Adds a function to obtain the current kernel call stack as an array.
This is useful for debugging code which may need to record the call stack
at various point of the kernel execution.

Depends on CFG_UNWIND=y.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: pta: group self tests together

Avoid repeating $(CFG_TEE_CORE_EMBED_INTERNAL_TESTS) for each core
self-test source file by using a ifeq block. In addition to making things
shorter, it is now e

core: pta: group self tests together

Avoid repeating $(CFG_TEE_CORE_EMBED_INTERNAL_TESTS) for each core
self-test source file by using a ifeq block. In addition to making things
shorter, it is now easier to introduce conditional tests which would
otherwise need one ifeq per feature to be tested: we can simply use
src-$(CFG_FOO) += core_foo_tests.c.

No functional change.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj.c: sort #includes

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

drivers: imx_uart: avoid hang if UART is disabled

Avoid indefinite hangs by not writing to the UART if it's disabled.
If the UART is disabled, the write and flush routines will hang
indefinitely whi

drivers: imx_uart: avoid hang if UART is disabled

Avoid indefinite hangs by not writing to the UART if it's disabled.
If the UART is disabled, the write and flush routines will hang
indefinitely which can be difficult to debug.

Tested-by: Jordan Rhee <jordanrh@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

show more ...

drivers: imx_uart: ensure space in TX UART before writing

Tested-by: Jordan Rhee <jordanrh@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

plat-imx: Add i.MX6SoloX Udoo Neo Full platform flavor

Add support for i.MX6SoloX Udoo Neo Full.
https://shop.udoo.org/usa/neo/udoo-neo-full.html

Signed-off-by: Christopher Co <christopher.co@micro

plat-imx: Add i.MX6SoloX Udoo Neo Full platform flavor

Add support for i.MX6SoloX Udoo Neo Full.
https://shop.udoo.org/usa/neo/udoo-neo-full.html

Signed-off-by: Christopher Co <christopher.co@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>
Tested-by: Jordan Rhee <jordanrh@microsoft.com>

show more ...

plat-imx: add mx7dclsom platform flavor

Tested-by: Jordan Rhee <jordanrh@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>

plat-imx: fix compile error for mx6qhmbedge flavor

Set DDR sze and console UART base in conf.mk to
avoid a compilation error.

Tested-by: Jordan Rhee <jordanrh@microsoft.com>
Signed-off-by: Jordan R

plat-imx: fix compile error for mx6qhmbedge flavor

Set DDR sze and console UART base in conf.mk to
avoid a compilation error.

Tested-by: Jordan Rhee <jordanrh@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>
Acked-by: Peng Fan <peng.fan@nxp.com>

show more ...

qemu: increase CFG_DTB_MAX_SIZE to 1 MiB

Since upstream QEMU commit 14ec3cbd7c1e ("device_tree: Increase
FDT_MAX_SIZE to 1 MiB"), which is included in release v2.12.1 and later,
OP-TEE initializatio

qemu: increase CFG_DTB_MAX_SIZE to 1 MiB

Since upstream QEMU commit 14ec3cbd7c1e ("device_tree: Increase
FDT_MAX_SIZE to 1 MiB"), which is included in release v2.12.1 and later,
OP-TEE initialization fails with the following error (-3 is
-FDT_ERR_NOSPACE):

E/TC:0 0 init_fdt:808 Invalid Device Tree at 0x40000000: error -3

Increase CFG_DTB_MAX_SIZE accordingly. Tested with the current tip of the
QEMU master branch, in 32- and 64-bit modes (note that our 64-bit QEMU
setup needs a TF-A patch -- PLAT_QEMU_DT_MAX_SIZE needs to be set to 1 MiB
too).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

auto-locate checkpatch

Try to locate checkpatch.pl in typical location(s) if environment
variable CHECKPATCH is not set.
The launch script first tries to find checkpatch.pl on the path,
next it chec

auto-locate checkpatch

Try to locate checkpatch.pl in typical location(s) if environment
variable CHECKPATCH is not set.
The launch script first tries to find checkpatch.pl on the path,
next it checks typical locations for linux headers, finally it
tries to locate linux sources used for OP-TEE in with QEMU.
The first match is used as the checkpatch instance to be invoked.

Signed-off-by: Markus S. Wamser <markus.wamser@mixed-mode.de>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: simplify shm cookie handling

Simplifies SHM cookie handling by storing the cookie in the mobj instead
of putting the burden on the caller. The cookie parameter is dropped
from the thread_rpc_*

core: simplify shm cookie handling

Simplifies SHM cookie handling by storing the cookie in the mobj instead
of putting the burden on the caller. The cookie parameter is dropped
from the thread_rpc_*_payload() functions. All callers of those
functions are also updated and unused cookie members of related structs
are removed too.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread: thread_rpc_{free,alloc}_arg() static

Makes thread_rpc_alloc_arg() and thread_rpc_free_arg() static since they
are only used internally in thread.c

Reviewed-by: Jerome Forissier <jerom

core: thread: thread_rpc_{free,alloc}_arg() static

Makes thread_rpc_alloc_arg() and thread_rpc_free_arg() static since they
are only used internally in thread.c

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

hikey960: change DRAM1_SIZE_NSEC for 4GB board

SoC reference manual [1] page 2-23 says that the DRAM address range is
0x00000000 - 0xDFFFFFFF for a total of 3.5GB, so the limit would seem
to be 0xE0

hikey960: change DRAM1_SIZE_NSEC for 4GB board

SoC reference manual [1] page 2-23 says that the DRAM address range is
0x00000000 - 0xDFFFFFFF for a total of 3.5GB, so the limit would seem
to be 0xE0000000, not 0x100000000, or 0xFFE00000 based on [2] and [3].

Link: [1] https://github.com/96boards/documentation/raw/master/consumer/hikey/hikey960/hardware-docs/HiKey960_SoC_Reference_Manual.pdf
Link: [2] https://github.com/OP-TEE/optee_os/issues/2597#issuecomment-428587050
Link: [3] https://github.com/OP-TEE/optee_os/issues/2597#issuecomment-428865951
Fixes: https://github.com/OP-TEE/optee_os/issues/2597
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: modify tee_otp_get_hw_unique_key to return TEE_Result

Getting the hardware key can fail on some platforms. Modify the function
signature to return an appropriate error code.

Signed-off-by: Da

core: modify tee_otp_get_hw_unique_key to return TEE_Result

Getting the hardware key can fail on some platforms. Modify the function
signature to return an appropriate error code.

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

porting guide: misc documentation fix

The first sentence was duplicated. Remove the repetition.
Update the part about CI from Travis to Shippable.

Signed-off-by: Loys Ollivier <loys.ollivier@gmail.

porting guide: misc documentation fix

The first sentence was duplicated. Remove the repetition.
Update the part about CI from Travis to Shippable.

Signed-off-by: Loys Ollivier <loys.ollivier@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Update CHANGELOG.md for 3.3.0

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)
Tested-by: Jerome Forissier <jerome.f

Update CHANGELOG.md for 3.3.0

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMUv8)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (FVP)
Tested-by: Sumit Garg <sumit.garg@linaro.org> (Developerbox)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960, GP)
Tested-by: Victor Chong <victor.chong@linaro.org> (HiKey620 AOSP)
Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org> (RPi3)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno AArch64)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (b2120/b2260, GP)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1, GP)
Tested-by: Akshay Bhat <akshay.bhat@timesys.com> (Atmel SAM)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Hikey)
Tested-by: Igor Opaniuk <igor.opaniuk@linaro.org> (Poplar)
Tested-by: Joseph Chen <chenjh@rock-chips.com> (RK322X)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)

show more ...

core: juno: workaround cortex-a57 errata 808870

Workaround errata 808870:
Unconditional VLDM instructions might cause an alignment fault even
though the address is aligned

Products Affected: Cortex

core: juno: workaround cortex-a57 errata 808870

Workaround errata 808870:
Unconditional VLDM instructions might cause an alignment fault even
though the address is aligned

Products Affected: Cortex-A57 MPCore.
Present in: r0p0

The workaround is to avoid generating the problematic instructions in
AArch32 TA.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: Fix base64 encoding function

Bitwise OR of unsigned int and a signed char is machine dependent and
could lead to invalid base64 encoding.

This commit makes it use unsigned char instead.

S

libutee: Fix base64 encoding function

Bitwise OR of unsigned int and a signed char is machine dependent and
could lead to invalid base64 encoding.

This commit makes it use unsigned char instead.

Signed-off-by: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

abort.c: arm32: assume VFP instr if undef

If an undefined instruction exception is raised from user mode assume it
is a VFP instruction unless VFP already is enabled.

This avoids reading user mode

abort.c: arm32: assume VFP instr if undef

If an undefined instruction exception is raised from user mode assume it
is a VFP instruction unless VFP already is enabled.

This avoids reading user mode memory while handling an abort which until
now has kept an undiscovered race where a page could become inaccessible
before the abort handler had the chance to read the instruction from the
page.

There is room for false positives. Those will be discovered the next
time the instruction is executed and still causes an undefined
instruction exception. Only this time VFP is already enabled so we know
it's not a VFP instruction. Enabling VFP in vain like this is harmless.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: prevent allocation when exception index tables are empty

This change prevent the core from allocating memory, mapping and
other resources to map exception index tables that are all empty.

Sig

core: prevent allocation when exception index tables are empty

This change prevent the core from allocating memory, mapping and
other resources to map exception index tables that are all empty.

Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...