libutils: bget_malloc.c: fix overflow tests

The overflow tests in raw_calloc(), raw_realloc() and raw_malloc() are
wrong. They don't work as expected when hdr_size and ftr_size are both
zero. The bu

libutils: bget_malloc.c: fix overflow tests

The overflow tests in raw_calloc(), raw_realloc() and raw_malloc() are
wrong. They don't work as expected when hdr_size and ftr_size are both
zero. The bug is exposed by commit 96c1d8c56cde ("ta: TEE_Malloc() and
friend: skips layers") which causes xtest 8033 to fail because
TEE_Malloc(0, TEE_MALLOC_FILL_ZERO) now returns NULL.

In addition, the allocation functions in bget.c (bget(), bgetz() and
bgetr()) take a parameter of type bufsize for the allocation size. This
happens to be a (signed) long. On the other hand, raw_malloc(),
raw_calloc() and raw_realloc() take a size_t parameter which is
unsigned long. Therefore, large size values are incorrectly interpreted
as being negative by the bget code, which then asserts. When run in the
context of a TA, this causes a TA panic instead of a
TEE_ERROR_OUT_OF_MEMORY error. This bug is also exposed by
commit 96c1d8c56cde ("ta: TEE_Malloc() and friend: skips layers") and
makes xtest 8034 and 8042 fail. 8034 is TEE_Malloc(0xFFFFFFFE,
TEE_MALLOC_FILL_ZERO) while 8042 is TEE_Realloc(ptr, 0xFFFFFFFE).

Rework the raw_calloc(), raw_realloc() and raw_malloc() functions to
use the MUL_OVERFLOW() and ADD_OVERFLOW() macros instead, operating on
the proper types.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

util: fix fallback SUB_OVERFLOW() macro

This only applies when the compiler doesn't provide the
__builtin_sub_overflow() function (before GCC 5.1).

Fixes problem due to integer promotion in overflo

util: fix fallback SUB_OVERFLOW() macro

This only applies when the compiler doesn't provide the
__builtin_sub_overflow() function (before GCC 5.1).

Fixes problem due to integer promotion in overflow macros when result is
a signed type and the subtrahend is an unsigned type with a low value.

SUB_OVERFLOW() still doesn't handle all combinations of signed and
unsigned types in the parameters.

Fixes: ce0d8e2da340 ("util: add macros for arithmetics with overflow checking")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

util: fix fallback ADD_OVERFLOW() macro

This only applies when the compiler doesn't provide the
__builtin_add_overflow() function (before GCC 5.1).

Fixes problem due to integer promotion in overflo

util: fix fallback ADD_OVERFLOW() macro

This only applies when the compiler doesn't provide the
__builtin_add_overflow() function (before GCC 5.1).

Fixes problem due to integer promotion in overflow macros when result is
a signed type and the second addend is an unsigned type with value 0.

ADD_OVERFLOW() still doesn't handle all combinations of signed and
unsigned types in the parameters.

Fixes: ce0d8e2da340 ("util: add macros for arithmetics with overflow checking")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-imx: remove dependency on CFG_DT=y

Enable IMX to run without a device tree (CFG_DT=n).
The only use of the device tree is for the WDOG driver
to get it's base address.

Tested on Sabre IMX6 and

plat-imx: remove dependency on CFG_DT=y

Enable IMX to run without a device tree (CFG_DT=n).
The only use of the device tree is for the WDOG driver
to get it's base address.

Tested on Sabre IMX6 and Sabre IMX7.

Reviewed-by: Peng Fan <peng.fan@nxp.com>
Tested-by: Jordan Rhee <jordanrh@microsoft.com>
Signed-off-by: Jordan Rhee <jordanrh@microsoft.com>

show more ...

core: arm32: add support for dynamically linked TAs

This commit adds support for 32-bit dynamically linked Trusted
Applications. The config flag for this feature is CFG_TA_DYNLINK,
default enabled.

core: arm32: add support for dynamically linked TAs

This commit adds support for 32-bit dynamically linked Trusted
Applications. The config flag for this feature is CFG_TA_DYNLINK,
default enabled.

Why do this? Several reasons:

1. Save space in the TA storage area. The OP-TEE core libraries
(libutee, libutils, libmpa) could very well be provided as shared
objects (.so) rather than archive files (.a). They would be installed
only once in the TA storage, instead of being duplicated inside each TA.
2. Allow upgrade of some libraries without re-linking the TAs.
3. Pave the way to sharing code pages between TAs, thus potentially
reducing the memory footprint of the TEE.

The ELF loader is updated as follows:

- Locate the dynamic section in the program headers (PT_DYNAMIC entry).
- Find the required external libraries by looking for DT_NEEDED entries
in the dynamic section. Libraries are .so files signed like TAs and
identified by a UUID so that the TA stores can be re-used. Using a UUID
is also more flexible, because a new versions of a library may keep the
same UUID or use another one.
- Load all the libraries.
- Process the dynamic relocations of type R_ARM_GLOB_DAT and
R_ARM_JUMP_SLOT by resolving symbols by name, in breadth first order.
- Map the library code and data into the user VA space.

The stack unwinding code will be updated in a later commit. As a result
only the main executable may be unwound ; stack dumps will stop if the
call stack goes inside a shared library.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960 32/64)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

ta.ld.S: make .plt section of user TAs executable

This patch is preparatory work for the support of dynamically linked
user mode TAs.

The Procedure Linkage Table (.plt) section should be executable

ta.ld.S: make .plt section of user TAs executable

This patch is preparatory work for the support of dynamically linked
user mode TAs.

The Procedure Linkage Table (.plt) section should be executable,
because it contains special code used to redirect function calls to
the proper destination in external (shared) libraries. Therefore, move
it into the executable segment.

A couple of blank lines are removed in the hope that it will make it
easier to see which sections are grouped together in the same segment.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

TA dev kit: add support for creating shared libraries

A new Makefile include (ta/arch/arm/link_shlib.mk) is introduced, it is
quite similar to the file used to generate a TA (ta/arch/arm/link.mk)
ex

TA dev kit: add support for creating shared libraries

A new Makefile include (ta/arch/arm/link_shlib.mk) is introduced, it is
quite similar to the file used to generate a TA (ta/arch/arm/link.mk)
except that is produces a shared object: $(SHLIBNAME).so. A signed file
is also produced: $(SHLIBUUID).ta.

Actual support for dynamically linked TAs in the OP-TEE ELF loader will
be added in subsequent patches.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

TA dev kit: minor cleanup

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

libutils: isoc: implement tolower(), isdigit() and isxdigit()

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim B

libutils: isoc: implement tolower(), isdigit() and isxdigit()

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Prevent unused warnings in speculation_barrier.h

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.b

Prevent unused warnings in speculation_barrier.h

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

libutils: import speculation_barrier.h

Import speculation_barrier.h from [1]. This file implements a set of
wrapper macros for the __builtin_load_no_speculate builtin function
detailed at [2]. This

libutils: import speculation_barrier.h

Import speculation_barrier.h from [1]. This file implements a set of
wrapper macros for the __builtin_load_no_speculate builtin function
detailed at [2]. This builtin function defines a speculation barrier,
which can be used to limit the conditions under which a value which has
been loaded can be used under specualtive execution.

The header file provided here allows a migration path to using the
builtin function for users who are unable to immediately upgrade to a
compiler which supports the builtin.

(Description taken from the README.md file of the speculation_barrier
project by Arm on GitHub [3])

Link: [1] https://raw.githubusercontent.com/ARM-software/speculation-barrier/80e65cd830b321ff676941c2fab773da450e6dae/speculation_barrier.h
Link: [2] https://www.arm.com/security-update
Link: [3] https://github.com/ARM-software/speculation-barrier
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: syscall_open_ta_session(): make sure user context is set

There is no guarantee that the current user context is preserved
after tee_ta_open_session(). Therefore, set it again before copying
da

core: syscall_open_ta_session(): make sure user context is set

There is no guarantee that the current user context is preserved
after tee_ta_open_session(). Therefore, set it again before copying
data to user space.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: arm32: do not unwind TA stack if .ARM.exidx is not present

If a TA has no exception index table (.ARM.exidx section), it is not
rejected by the loader but it cannot be unwound. Therefore, the

core: arm32: do not unwind TA stack if .ARM.exidx is not present

If a TA has no exception index table (.ARM.exidx section), it is not
rejected by the loader but it cannot be unwound. Therefore, the unwind
code should detect this condition to avoid crashing a bit further down.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

plat-rockchip: move some CFG_'s from platform_config.h to conf.mk

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

core: move CFG_TEE_CORE_NB_CORE to conf.mk for various platforms

Update platforms d02, rcar, sam, hikey, mediatek, poplar, rpi3, sprd,
zynqmp and marvell.

These platforms no more defines CFG_ confi

core: move CFG_TEE_CORE_NB_CORE to conf.mk for various platforms

Update platforms d02, rcar, sam, hikey, mediatek, poplar, rpi3, sprd,
zynqmp and marvell.

These platforms no more defines CFG_ configuration directives as
NB_CORE was the last remaining one.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

plat-vexpress: move CFG_TEE_CORE_NB_CORE to platform conf.mk

Aggregate juno config.
Use same platform ordering in conf.mk and platform_config.h.

Signed-off-by: Etienne Carriere <etienne.carriere@li

plat-vexpress: move CFG_TEE_CORE_NB_CORE to platform conf.mk

Aggregate juno config.
Use same platform ordering in conf.mk and platform_config.h.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

Fix crash when bumping qemu to 2.12.0

The implementation of a memory access error handler in qemu/qemu@c79c0a3
is the cause of this crash. OP-TEE's PASSTHRU_READER driver had been
accessing invalid

Fix crash when bumping qemu to 2.12.0

The implementation of a memory access error handler in qemu/qemu@c79c0a3
is the cause of this crash. OP-TEE's PASSTHRU_READER driver had been
accessing invalid memory addresses, which were ignored till the handler
was added to qemu.

Fixes: https://github.com/OP-TEE/optee_os/issues/2291
Signed-off-by: Harikrishnan R <rharikrishnan95@gmail.com>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

plat-zynq7k: move some CFG_'s from platform_config.h to conf.mk

Legacy zyn7k does not allow reconfiguring the memory layout, hence
internal labels used are local: discard CFG_DDR_TEETZ_RESERVED_STAR

plat-zynq7k: move some CFG_'s from platform_config.h to conf.mk

Legacy zyn7k does not allow reconfiguring the memory layout, hence
internal labels used are local: discard CFG_DDR_TEETZ_RESERVED_START
CFG_DDR_TEETZ_RESERVED_SIZE, CFG_CORE_TZSRAM_EMUL_START in favor
of hardcoded addresses.

Discard local CFG_PUB_RAM_SIZE in favor to TEE_SHMEM_START/SIZE.

Remove useless DRAM0_BASE/_SIZE, DDR_PHYS_START, DDR_SIZE and
CFG_DDR_START/_SIZE.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Yan Yan <yan.yan@windriver.com>

show more ...

plat-stm: move some CFG_'s from platform_config.h to conf.mk

STM platform can be configured from CFG_DDR_START/_SIZE,
CFG_CORE_TZSRAM_EMUL_START and CFG_DDR_TEETZ_RESERVED_START/_SIZE.

Signed-off-b

plat-stm: move some CFG_'s from platform_config.h to conf.mk

STM platform can be configured from CFG_DDR_START/_SIZE,
CFG_CORE_TZSRAM_EMUL_START and CFG_DDR_TEETZ_RESERVED_START/_SIZE.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

plat-ti: move some CFG_'s from platform_config.h to conf.mk

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Andrew F. Davis <afd@ti.com>

libutil: provide non-stubbed ctypes.h

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@

libutil: provide non-stubbed ctypes.h

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

plat-ls: move some CFG_'s from platform_config.h to conf.mk

Remove CFG_DDR_TEETZ_RESERVED_START/_SIZE: internal to platform.
Remove CFG_PUB_RAM_SIZE, use TEE_SHMEM_SIZE instead.
Remove useless defin

plat-ls: move some CFG_'s from platform_config.h to conf.mk

Remove CFG_DDR_TEETZ_RESERVED_START/_SIZE: internal to platform.
Remove CFG_PUB_RAM_SIZE, use TEE_SHMEM_SIZE instead.
Remove useless definition of DDR_PHYS_START, DDR_SIZE, DRAM0_BASE/_SIZE,
CFG_DDR_START/_SIZE.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: Pankaj Gupta <pankaj.gupta@nxp.com>

show more ...

porting guide: update mandated platform settings

Generic code expects platform sets TZDRAM_BASE, TZDRAM_SIZE,
TEE_RAM_START, TEE_RAM_VA_SIZE, TA_RAM_START, TA_RAM_SIZE,
TEE_SHMEM_START, TEE_SHMEM_SI

porting guide: update mandated platform settings

Generic code expects platform sets TZDRAM_BASE, TZDRAM_SIZE,
TEE_RAM_START, TEE_RAM_VA_SIZE, TA_RAM_START, TA_RAM_SIZE,
TEE_SHMEM_START, TEE_SHMEM_SIZE and TEE_LOAD_ADDR.

Generic code with pager enable expects also TZSRAM_BASE, TZSRAM_SIZE
and TEE_RAM_PH_SIZE.

DRAM0_BASE/SIZE is not required by the generic code.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove CFG_ prefix from CFG_TEE_LOAD_ADDR

TEE_LOAD_ADDR is now local to source files. It is set to CFG_TEE_LOAD_ADDR
value if defined only for the platforms that previously allowed build
to ov

core: remove CFG_ prefix from CFG_TEE_LOAD_ADDR

TEE_LOAD_ADDR is now local to source files. It is set to CFG_TEE_LOAD_ADDR
value if defined only for the platforms that previously allowed build
to override the value. Few platform did hardcod CFG_TEE_LOAD_ADDR, this
change preserve these configurations.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: remove CFG_ prefix from CFG_SHMEM_START/_SIZE

Almost platform currently define these directives from within the
source code, through platform_config.h. These values do not need to
be configura

core: remove CFG_ prefix from CFG_SHMEM_START/_SIZE

Almost platform currently define these directives from within the
source code, through platform_config.h. These values do not need to
be configuration directive with the CFG_ prefix.

This change renames the CFG_SHMEM_xxx into TEE_SHMEM_xxx so that they
do not mess with the platform configuration directives. Yet, the old
CFG_SHMEM_START/SIZE directives can still be used by platform_config.h
to set TEE_SHMEM_START/SIZE if the platform supports it (i.e plat-stm).

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...