core: fix access conflict status in rpmb fs that panics TA

According to the GPD TEE Internal Core API specs, when creating
an existing persistent object without the overwrite flag, the OS
should ret

core: fix access conflict status in rpmb fs that panics TA

According to the GPD TEE Internal Core API specs, when creating
an existing persistent object without the overwrite flag, the OS
should return a TEE_ERROR_ACCESS_CONFLICT status.

This change fixes the RPMB FS layer. An effect of this correction
is that before this change, OS panicked TAs that requested such
forbidden object creation, as a TEE_ERROR_BAD_PARAMETERS return
value is considered by the API as an unexpected status.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)

show more ...

core: arm32: reset_secondary() set reset vector

Sets reset vector in reset_secondary() to trap unexpected exceptions.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wik

core: arm32: reset_secondary() set reset vector

Sets reset vector in reset_secondary() to trap unexpected exceptions.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU v7/v8)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: replace _start with reset() function

Renames _start to reset_vect_table and renames reset() to _start() in
order to avoid pulling in too much unpaged code via
reset_secondary()/cpu_on_h

core: arm32: replace _start with reset() function

Renames _start to reset_vect_table and renames reset() to _start() in
order to avoid pulling in too much unpaged code via
reset_secondary()/cpu_on_handler().

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Keep assembly functions in separate sections

To get a more fine grained selection of which area (init, paged,
unpaged) an assembly function is assigned do the equivalent of
-ffunction-sections but i

Keep assembly functions in separate sections

To get a more fine grained selection of which area (init, paged,
unpaged) an assembly function is assigned do the equivalent of
-ffunction-sections but in assembly.

Some functions has to be in specific places in the binary for a
successful boot, link script is updated accordingly.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm32: thread_set_und_sp(): correct end tag

Sets correct end tag for thread_set_und_sp()

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklan

core: arm32: thread_set_und_sp(): correct end tag

Sets correct end tag for thread_set_und_sp()

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: psci: pass nsec ctx to system_suspend

In the commit 732fc43(core: arm: psci: pass nsec ctx to psci), we have
done the job, but we forgot to follow it in the later commit 1d40eb8
(core: ar

core: arm: psci: pass nsec ctx to system_suspend

In the commit 732fc43(core: arm: psci: pass nsec ctx to psci), we have
done the job, but we forgot to follow it in the later commit 1d40eb8
(core: arm: sm: add PSCI system suspend), fix it in this patch.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>

show more ...

core: fix allocated object on object creation failure in svc storage

Changes syscall_storage_obj_create to give physical object ownership
to the tee object layer only once storage is successfully in

core: fix allocated object on object creation failure in svc storage

Changes syscall_storage_obj_create to give physical object ownership
to the tee object layer only once storage is successfully inited
for that object. Otherwise, if tee_svc_storage_init_file fails,
the storage does not own the physical object and close method
will not release the object.

This change fixes https://github.com/OP-TEE/optee_test/issues/232.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

pta: change DMSG to FMSG for invoke in pta/SDP

When running the default configuration SDP spams a lot:
DEBUG: [0x0] TEE-CORE:invoke_command:338: command entry point
for pseudo t

pta: change DMSG to FMSG for invoke in pta/SDP

When running the default configuration SDP spams a lot:
DEBUG: [0x0] TEE-CORE:invoke_command:338: command entry point
for pseudo ta "invoke_tests.pta"
...

By changing from DMSG to FMSG this will not flood the console anymore.

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

make clean: split file list into manageable chunks

"make clean" might fail with the following error:

make[2]: execvp: /bin/bash: Argument list too long

This error was observed on a platform that

make clean: split file list into manageable chunks

"make clean" might fail with the following error:

make[2]: execvp: /bin/bash: Argument list too long

This error was observed on a platform that has lots of additional
source files compared to upstream (drivers, etc.), and that sets a long
output path on the command line (make ... O=/some/long/path).

Fix the error by splitting the file list into more manageable chunks.
Note that removing one file at a time is not reasonable, because
spawning too may shells takes quite a long time (up to 7-10 seconds to
"make clean").

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Lijianhui <airbak.li@hisilicon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Fix comment in tee_ree_fs.c

Signed-off-by: Liu Zheng <wellsleeplz@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

Update CHANGELOG.md for 2.6.0

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (RCAR M3)
Tested-by: Jerome Forissier <jerome.foriss

Update CHANGELOG.md for 2.6.0

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Volodymyr Babchuk <vlad.babchuk@gmail.com> (RCAR M3)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Tested-by: Akshay Bhat <akshay.bhat@timesys.com> (Atmel SAM)
Tested-by: Kevin Peng <kevinp@marvell.com> (Marvell Armada A8K, A7K)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (Juno)
Tested-by: Joakim Bech <joakim.bech@linaro.org> (RPi3 with NFS)
Tested-by: Joakim Bech <joakim.bech@linaro.org> (MTK8173)
Tested-by: Andrew F. Davis <afd@ti.com> (plat-ti)
Tested-by: Victor Chong <victor.chong@linaro.org> (HiKey Debian)
Tested-by: Victor Chong <victor.chong@linaro.org> (HiKey AOSP)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (FVP)
Tested-by: Peng Fan <peng.fan@nxp.com> (imx6ulevk imx7dsabresd with vendor linux kernel)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (D02)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMUv8)
Tested-by: Sumit Garg <sumit.garg@nxp.com> (ls1021a-single-core ls1043ardb ls1046ardb)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (b2120, b2260, GP)
Tested-by: Joseph Chen <chenjh@rock-chips.com> (RK322X)

show more ...

entry_std.c: Initialize num_params to fix gcc warning

Signed-off-by: Sumit Garg <sumit.garg@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

thread.c: free rpc arg mobj during cache disabling

Mobj, containing memory for RPC arguments was not deleted
when client disabled argument cache. That would lead
to resource leak.

Signed-off-by: Vo

thread.c: free rpc arg mobj during cache disabling

Mobj, containing memory for RPC arguments was not deleted
when client disabled argument cache. That would lead
to resource leak.

Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Update minor revision to 6 for release tag 2.6.0-rc1

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>

hikey, hikey960: enable dynamic shared memory

Enables dynamic shared memory by registering the non-secure memory
range in plat-hikey/main.c.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro

hikey, hikey960: enable dynamic shared memory

Enables dynamic shared memory by registering the non-secure memory
range in plat-hikey/main.c.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add v2p/p2v tests in embedded tests

Use the invocation test pseudo TA to test virt_to_phys and
phys_to_virt conversions over TA memory reference parameters.

Convert in MEM_AREA_TA_VASPACE mem

core: add v2p/p2v tests in embedded tests

Use the invocation test pseudo TA to test virt_to_phys and
phys_to_virt conversions over TA memory reference parameters.

Convert in MEM_AREA_TA_VASPACE memory when pTA client is a TA.
Otherwise if means pTA client is in the non-secure world and
the memref parameters are mapped straight to TEE core. Try in
the static SHM, SDP memory and in the dynamic SHM.

Several configuration aside pager can make phys_to_virt() failing
to find an existing valid virtual address. When so, do not report
an error to the client.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemus, b2260)

show more ...

core:mmu: privileged land pa2va is not supported in dynamic SHM

Implementation currently does not support finding a mapped virtual
memory address in the dynamic SHM range from a physical address.

T

core:mmu: privileged land pa2va is not supported in dynamic SHM

Implementation currently does not support finding a mapped virtual
memory address in the dynamic SHM range from a physical address.

This change prevents phys_to_virt() from producing a faulty
virtual address when dealing with dynamic SHM virtual address range.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core:debug: add verbosity when pa/va do not match

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

core:mmu: fix userland pa2va conversion

When dealing with a memory object that are physically granulated,
looking for a matching physical page requires to test each granule
of the memory object.

Si

core:mmu: fix userland pa2va conversion

When dealing with a memory object that are physically granulated,
looking for a matching physical page requires to test each granule
of the memory object.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core:mmu: fix userland va2pa conversion

This change takes care that the offset in granule of the target
address to be converted is not added twice when computing the
address physical page based on t

core:mmu: fix userland va2pa conversion

This change takes care that the offset in granule of the target
address to be converted is not added twice when computing the
address physical page based on the memory object reference.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core:unwind: check user context on stack print of panicked TAs

This change checks that the userland context pointer is valid before
reading its content.

Note that this change only lowers the chance

core:unwind: check user context on stack print of panicked TAs

This change checks that the userland context pointer is valid before
reading its content.

Note that this change only lowers the chance of malformed TA being
able to crash core or access core memory using crafted context
reference. The stack unwind process being executed from kernel land,
a real fix could require each stack unwind step to verify the memory
references before going further in the execution history.

Therefore this change does not fix the vulnerability of current
TA stack unwind process against core/TA isolation.

Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: map PTA registered shared memory late

Normal registered dynamic shared memory objects are not mapped into
OP-TEE OS memory space as that memory normally only is used in normal
(user) TAs.

If

core: map PTA registered shared memory late

Normal registered dynamic shared memory objects are not mapped into
OP-TEE OS memory space as that memory normally only is used in normal
(user) TAs.

If a Pseudo TA is invoked from a user TA it will use the mapping already
activated for the user TA and can easily access everything the user TA
can access, including buffers passed in parameters for the user TA.

However, if a Pseudo TA is invoked directly from a non-secure client
there is no user TA mapping to share, instead memory buffer passed
in parameters has to be mapped directly.

With this patch registered shared memory buffer passed from a non-secure
client are mapped if needed before invoking the Pseudo TA.

Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (qemu_virt/armv8, b2260)
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: reimplement mobj_mapped_shm_alloc()

Now that normal registered shared memory (created with
mobj_reg_shm_alloc()) can be mapped the MOBJ type struct mobj_mapped_shm
is redundant.

With this pat

core: reimplement mobj_mapped_shm_alloc()

Now that normal registered shared memory (created with
mobj_reg_shm_alloc()) can be mapped the MOBJ type struct mobj_mapped_shm
is redundant.

With this patch mobj_mapped_shm_alloc() is reimplemented using
mobj_reg_shm_alloc() and mobj_reg_shm_map().

struct mobj_mapped_shm and all associated functions and variables are
removed.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add mobj_reg_shm_{,un}map()

Adds mobj_reg_shm_map() and mobj_reg_shm_unmap() operating on MOBJs
created with mobj_reg_shm_alloc(), also know as registered shared
memory.

mobj_reg_shm_alloc()

core: add mobj_reg_shm_{,un}map()

Adds mobj_reg_shm_map() and mobj_reg_shm_unmap() operating on MOBJs
created with mobj_reg_shm_alloc(), also know as registered shared
memory.

mobj_reg_shm_alloc() maps the described shared memory into OP-TEE OS
memory space, mobj_reg_shm_unmap() unmaps the same memory again.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: mobj: remove double physical offset

Removes the double bookkeeping of physical offset into first physical
page of a MOBJ. Now all the different offsets are needed to calculate
the final offset

core: mobj: remove double physical offset

Removes the double bookkeeping of physical offset into first physical
page of a MOBJ. Now all the different offsets are needed to calculate
the final offset.

Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey)
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...