core: fine grained tee_ta_mutex locking

Changes TA loading and session initialization to use fine grained locking
based on the tee_ta_mutex.

This avoids a potential dead lock with PGT cache where w

core: fine grained tee_ta_mutex locking

Changes TA loading and session initialization to use fine grained locking
based on the tee_ta_mutex.

This avoids a potential dead lock with PGT cache where we're waiting for
new page tables with tee_ta_mutex locked, which prevents
tee_ta_close_session() to indirectly return any page tables.

This change also removes the last really big critical section. With this
TAs can be loaded in parallel.

Reported-by: Zhizhou Zhang <zhizhouzhang@asrmicro.com>
Tested-by: Zhizhou Zhang <zhizhouzhang@asrmicro.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: tee_svc.c: stop using tee_ta_mutex

A MOBJ handles serialization internally so there's no need to acquire
tee_ta_mutex before freeing or allocating a MOBJ.

Acked-by: Jerome Forissier <jerome.f

core: tee_svc.c: stop using tee_ta_mutex

A MOBJ handles serialization internally so there's no need to acquire
tee_ta_mutex before freeing or allocating a MOBJ.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Fix compiler warning with register_sdp_mem()

Fixes the following warning/error when CFG_SECURE_DATA_PATH is disabled:

$ make PLATFORM=hikey CFG_SECURE_DATA_PATH=n
...
core/arch/arm/mm/core_mmu.c

Fix compiler warning with register_sdp_mem()

Fixes the following warning/error when CFG_SECURE_DATA_PATH is disabled:

$ make PLATFORM=hikey CFG_SECURE_DATA_PATH=n
...
core/arch/arm/mm/core_mmu.c:90:61: error: ISO C does not allow extra ';' outside of a function [-Werror=pedantic]
register_sdp_mem(CFG_TEE_SDP_MEM_BASE, CFG_TEE_SDP_MEM_SIZE);
^
cc1: all warnings being treated as errors

Fixes: 2d9ed57b6bd8 ("Define register_sdp_mem() only when CFG_SECURE_DATA_PATH is defined")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

util.h: add CONCAT() macro

Add a macro that can be used to paste evaluated pre-processor tokens
in the code.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carri

util.h: add CONCAT() macro

Add a macro that can be used to paste evaluated pre-processor tokens
in the code.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove support for Allwinner A80 platform (plat-sunxi)

It has been almost three years since we have heard about plat-sunxi
(no new contributions, no patch ack'ed or tested, no feedback at
release ti

Remove support for Allwinner A80 platform (plat-sunxi)

It has been almost three years since we have heard about plat-sunxi
(no new contributions, no patch ack'ed or tested, no feedback at
release time). Therefore, remove support for this platform.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
CC: Sun Yangbang <sunny@allwinnertech.com>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: sm: init CNTVOFF

There is an property "arm,cpu-registers-not-fw-configured" in Linux side,
that could workaround the issue that firmare initialize CNTVOFF.

But if use that property, virtuali

arm32: sm: init CNTVOFF

There is an property "arm,cpu-registers-not-fw-configured" in Linux side,
that could workaround the issue that firmare initialize CNTVOFF.

But if use that property, virtualization support will be break in linux.

Also without CNTVOFF or that property no defined, kernel could not
boot up on i.MX7D with two cores.

So we init CNTVOFF in OP-TEE to make kernel work well.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

tzc380: export more api

Introduce tzc_security_inversion_en tzc_enable_region tzc_fail_dump and
tzc_int_clear.

When we want to block secure access to region configured TZC_ATTR_SP_NS_RW,
need to us

tzc380: export more api

Introduce tzc_security_inversion_en tzc_enable_region tzc_fail_dump and
tzc_int_clear.

When we want to block secure access to region configured TZC_ATTR_SP_NS_RW,
need to use tzc_security_inversion_en.

Sometimes we need to configure the regions first, then enable the
region.

tzasc380 interrupt could be enabled to catch some illegal access
with tzc_fail_dump and tzc_int_clear.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

tzc380: do not write reserved bits

For region0, only SP is configurable, so should not configure
region low/high.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander

tzc380: do not write reserved bits

For region0, only SP is configurable, so should not configure
region low/high.

Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: add pseudo-TA for retrieve sdp physical address

Add a pseudo-TA to convert a Secure Data Path virtual address to
physical address. May only be called by a TA that has
TA_FLAG_SECURE_DATA_PATH.

core: add pseudo-TA for retrieve sdp physical address

Add a pseudo-TA to convert a Secure Data Path virtual address to
physical address. May only be called by a TA that has
TA_FLAG_SECURE_DATA_PATH.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Edison Ai <edison.ai@arm.com> (Juno)
Signed-off-by: Edison Ai <edison.ai@arm.com>

show more ...

Define register_sdp_mem() only when CFG_SECURE_DATA_PATH is defined

Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-o

Define register_sdp_mem() only when CFG_SECURE_DATA_PATH is defined

Suggested-by: Jerome Forissier <jerome.forissier@linaro.org>
Suggested-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: arm32: sm_a32.S: fix assembly errors

Fixes assembly error:
AS out/arm/core/arch/arm/sm/sm_a32.o
core/arch/arm/sm/sm_a32.S: Assembler messages:
core/arch/arm/sm/sm_a32.S:354: Error: invalid con

core: arm32: sm_a32.S: fix assembly errors

Fixes assembly error:
AS out/arm/core/arch/arm/sm/sm_a32.o
core/arch/arm/sm/sm_a32.S: Assembler messages:
core/arch/arm/sm/sm_a32.S:354: Error: invalid constant (c08) after fixup
core/arch/arm/sm/sm_a32.S:356: Error: invalid constant (c09) after fixup
core/arch/arm/sm/sm_a32.S:358: Error: invalid constant (c0e) after fixup
core/arch/arm/sm/sm_a32.S:363: Error: invalid constant (c0f) after fixup
mk/compile.mk:146: recipe for target 'out/arm/core/arch/arm/sm/sm_a32.o' failed

Fixes: 2ac6322d1ab1 ("core: arm32: sm: runtime selection of spectre workaround")
Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (QEMU v7)
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64.S: spectre workaround

If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch
predictor on all secure world exceptions originating in secure EL0
(secure user space).

Fixes

core: arm64.S: spectre workaround

If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch
predictor on all secure world exceptions originating in secure EL0
(secure user space).

Fixes CVE-2017-5715

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: thread: update vector relative to vbar

With CFG_CORE_UNMAP_CORE_AT_EL0=y the exception vector is updated to use
the minimal kernel mapping during user space execution. With this patch
v

core: arm64: thread: update vector relative to vbar

With CFG_CORE_UNMAP_CORE_AT_EL0=y the exception vector is updated to use
the minimal kernel mapping during user space execution. With this patch
vbar is updated relative to previous value in vbar to allow different
exception vectors for different cpu types.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: pad vector with illegal instruction

Pads exception vector with an illegal instruction to improve robustness.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by:

core: arm64: pad vector with illegal instruction

Pads exception vector with an illegal instruction to improve robustness.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: thread_a64.S: cleanup vector entries

Renames the labels in the exception vector to use consistent lower case
names.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by:

core: thread_a64.S: cleanup vector entries

Renames the labels in the exception vector to use consistent lower case
names.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm.h: move midr definitions

Moves MIDR definitions from arm32.h to arm.h

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

core: arm32: thread: invalidate branch predictor

If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch
predictor on all secure world exceptions.

Fixes CVE-2017-5715

Tested-by: Jerom

core: arm32: thread: invalidate branch predictor

If build with CFG_CORE_WORKAROUND_SPECTRE_BP_SEC=y invalidate branch
predictor on all secure world exceptions.

Fixes CVE-2017-5715

Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: thread: update vector relative to vbar

With CFG_CORE_UNMAP_CORE_AT_EL0=y the exception vector is updated to use
the minimal kernel mapping during user space execution. With this patch
v

core: arm32: thread: update vector relative to vbar

With CFG_CORE_UNMAP_CORE_AT_EL0=y the exception vector is updated to use
the minimal kernel mapping during user space execution. With this patch
vbar is updated relative to previous value in vbar to allow different
exception vectors for different cpu types.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: sm: runtime selection of spectre workaround

Adds runtime selection of spectre workaround. Special treatment for
Cortex A-15 CPUs on which BPIALL isn't effective and requires a ICIALLU
i

core: arm32: sm: runtime selection of spectre workaround

Adds runtime selection of spectre workaround. Special treatment for
Cortex A-15 CPUs on which BPIALL isn't effective and requires a ICIALLU
instead.

Fixes CVE-2017-5715

Fixes: 3bc90f3d3ecd ("core: arm32: sm: invalidate branch predictor")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

arm32: enable ACTLR_CA15_ENABLE_INVALIDATE_BTB

Enables ACTLR_CA15_ENABLE_INVALIDATE_BTB (ACTLR[0]) in generic boot if
compiled with CFG_CORE_WORKAROUND_SPECTRE_BP or
CFG_CORE_WORKAROUND_SPECTRE_BP_S

arm32: enable ACTLR_CA15_ENABLE_INVALIDATE_BTB

Enables ACTLR_CA15_ENABLE_INVALIDATE_BTB (ACTLR[0]) in generic boot if
compiled with CFG_CORE_WORKAROUND_SPECTRE_BP or
CFG_CORE_WORKAROUND_SPECTRE_BP_SEC and the cpu is discovered to be
Cortex-A15.

Fixes CVE-2017-5715

Acked-by: Andrew Davis <andrew.davis@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-sunxi: ACTLR_CA15_ENABLE_INVALIDATE_BTB

Enables ACTLR_CA15_ENABLE_INVALIDATE_BTB (ACTLR[0]) if compiled with
CFG_CORE_WORKAROUND_SPECTRE_BP or CFG_CORE_WORKAROUND_SPECTRE_BP_SEC.

Fixes CVE-201

plat-sunxi: ACTLR_CA15_ENABLE_INVALIDATE_BTB

Enables ACTLR_CA15_ENABLE_INVALIDATE_BTB (ACTLR[0]) if compiled with
CFG_CORE_WORKAROUND_SPECTRE_BP or CFG_CORE_WORKAROUND_SPECTRE_BP_SEC.

Fixes CVE-2017-5715

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32.h: ACTLR_CA15_ENABLE_INVALIDATE_BTB

Adds Cortex-A15 only define ACTLR_CA15_ENABLE_INVALIDATE_BTB

Acked-by: Andrew Davis <andrew.davis@linaro.org>
Reviewed-by: Etienne Carriere <etienne.

core: arm32.h: ACTLR_CA15_ENABLE_INVALIDATE_BTB

Adds Cortex-A15 only define ACTLR_CA15_ENABLE_INVALIDATE_BTB

Acked-by: Andrew Davis <andrew.davis@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32.h: remove unused ACTLR_* defines

Removes unused ACTLR_* defines, only keeping ACTLR_SMP.

Acked-by: Andrew Davis <andrew.davis@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere

core: arm32.h: remove unused ACTLR_* defines

Removes unused ACTLR_* defines, only keeping ACTLR_SMP.

Acked-by: Andrew Davis <andrew.davis@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32.h: add MIDR defines

Adds MIDR defines for additional CPUs and also to extract implementer
field.

Acked-by: Andrew Davis <andrew.davis@linaro.org>
Reviewed-by: Jerome Forissier <jerome.f

core: arm32.h: add MIDR defines

Adds MIDR defines for additional CPUs and also to extract implementer
field.

Acked-by: Andrew Davis <andrew.davis@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: assert foreign interrupts are masked in get_core_pos()

This change modifies get_core_pos() so that calling the routine
from C source asserts the foreign interrupts are masked when
the function

core: assert foreign interrupts are masked in get_core_pos()

This change modifies get_core_pos() so that calling the routine
from C source asserts the foreign interrupts are masked when
the function is called, preventing a cpu migration while reading
current core position.

There is no assertion of foreign interrupt masking for such calls to
get_core_pos() from assembly sources.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...