plat-stm32mp1: add CFG_STM32_ALLOW_UNSAFE_PROBE to probe unsafe peripherals

Add CFG_STM32_ALLOW_UNSAFE_PROBE that allows to unsafely probe
peripherals. This means that the firewall configuration wil

plat-stm32mp1: add CFG_STM32_ALLOW_UNSAFE_PROBE to probe unsafe peripherals

Add CFG_STM32_ALLOW_UNSAFE_PROBE that allows to unsafely probe
peripherals. This means that the firewall configuration will not be
checked before probing a peripheral. Default enable this switch for
DH platforms that use non-securable peripherals in OP-TEE.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_etzpc: move the stm32_etzpc driver to the firewall folder

The ETZPC is a firewall controller. Therefore, move the stm32_etzpc driver
to the firewall folder.

Signed-off-by: Gatien Che

drivers: stm32_etzpc: move the stm32_etzpc driver to the firewall folder

The ETZPC is a firewall controller. Therefore, move the stm32_etzpc driver
to the firewall folder.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: stm32_etzpc: update driver to set ETZPC configuration from DT

Remove old implementation where the ETZPC configuration was a hard
coded table in the shared resources file and use the device

drivers: stm32_etzpc: update driver to set ETZPC configuration from DT

Remove old implementation where the ETZPC configuration was a hard
coded table in the shared resources file and use the device tree to
get it.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp1: default enable CFG_DRIVERS_FIREWALL

Default enable the CFG_DRIVERS_FIREWALL switch that is used to enable
the support of the firewall framework.

On this platform, only the ETZPC is a

plat-stm32mp1: default enable CFG_DRIVERS_FIREWALL

Default enable the CFG_DRIVERS_FIREWALL switch that is used to enable
the support of the firewall framework.

On this platform, only the ETZPC is a firewall controller for now.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: define ETZPC as an access controller for stm32mp13 platforms

ETZPC is a firewall controller. Add the access-controllers property to
all ETZPC sub-nodes on stm32mp13 platforms. Also add t

dts: stm32: define ETZPC as an access controller for stm32mp13 platforms

ETZPC is a firewall controller. Add the access-controllers property to
all ETZPC sub-nodes on stm32mp13 platforms. Also add the "simple-bus"
compatible for backward compatibility and "#access-controllers-cells"
to the ETZPC node.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: define ETZPC as an access controller for stm32mp15 platforms

ETZPC is a firewall controller. Add the access-controllers property to
all ETZPC sub-nodes on stm32mp15x platforms. Also add

dts: stm32: define ETZPC as an access controller for stm32mp15 platforms

ETZPC is a firewall controller. Add the access-controllers property to
all ETZPC sub-nodes on stm32mp15x platforms. Also add the "simple-bus"
compatible for backward compatibility and "#access-controllers-cells"
to the ETZPC node.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: add the ETZPC configuration table for stm32mp1x boards

Add the tables defining the ETZPC firewall controller configuration
that will be set at boot time on stm32mp1x boards.

Signed-off-

dts: stm32: add the ETZPC configuration table for stm32mp1x boards

Add the tables defining the ETZPC firewall controller configuration
that will be set at boot time on stm32mp1x boards.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Johann Neuhauser <jneuhauser@dh-electronics.com>

show more ...

dt-bindings: add platform specific ETZPC bindings

Define ETZPC bindings for STM32MP15 and STM32MP13 and add these
header files into the stm32mp_dt_bindings helper. While there, also
update some incl

dt-bindings: add platform specific ETZPC bindings

Define ETZPC bindings for STM32MP15 and STM32MP13 and add these
header files into the stm32mp_dt_bindings helper. While there, also
update some includes to fix the path errors.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: use st,stm32mp15-i2c-non-secure compatible for the I2C4

Use st,stm32mp15-i2c-non-secure compatible for the I2C4 as it is
currently non-secure on stm32mp15 dkx and evx platforms.

Signed-

dts: stm32: use st,stm32mp15-i2c-non-secure compatible for the I2C4

Use st,stm32mp15-i2c-non-secure compatible for the I2C4 as it is
currently non-secure on stm32mp15 dkx and evx platforms.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: disable VREFBUF on stm32mp15-dkx platforms

VREFBUF is currently not used on stm32mp15-dkx platforms,
so disable it.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Revi

dts: stm32: disable VREFBUF on stm32mp15-dkx platforms

VREFBUF is currently not used on stm32mp15-dkx platforms,
so disable it.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: disable ADC2 on stm32mp135f-dk

Remove ADC2 configuration in stm32mp135-dk.dts since OP-TEE does not
use the device.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Revi

dts: stm32: disable ADC2 on stm32mp135f-dk

Remove ADC2 configuration in stm32mp135-dk.dts since OP-TEE does not
use the device.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: default disable DMA at SoC level for stm32mp15 platforms

DMA node in stm32mp15* SoC DTSI files shouldn't be enabled by default,
we don't even have a driver to handle it. Therefore defaul

dts: stm32: default disable DMA at SoC level for stm32mp15 platforms

DMA node in stm32mp15* SoC DTSI files shouldn't be enabled by default,
we don't even have a driver to handle it. Therefore default disable it.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fix race in mobj_reg_shm_get_by_cookie()

Until this patch in mobj_reg_shm_get_by_cookie() there's a small window
after cpu_spin_unlock_xrestore() before the reference counter is
increased with

core: fix race in mobj_reg_shm_get_by_cookie()

Until this patch in mobj_reg_shm_get_by_cookie() there's a small window
after cpu_spin_unlock_xrestore() before the reference counter is
increased with mobj_get(). Fix that by calling mobj_get() before
unlocking reg_shm_slist_lock.

Fixes: b96514926b8e ("core: reference count struct mobj")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: caam: skip JR init of CFG_JR_HAB_INDEX

On iMX8M SoC, the HAB requires the JR0 to be set to secure world to
decrypt the kernel image when loading the image in U-Boot.

Before reaching u-boot

drivers: caam: skip JR init of CFG_JR_HAB_INDEX

On iMX8M SoC, the HAB requires the JR0 to be set to secure world to
decrypt the kernel image when loading the image in U-Boot.

Before reaching u-boot, OP-TEE and TF-A set the JR0 to the non-secure
domain that leads to a HAB failure when trying to decrypt the kernel.

To fix the issue, this commit introduces CFG_JR_HAB_INDEX that specifies
which JR the HAB uses. OPTEE will skip the initialization of
CFG_JR_HAB_INDEX and leave it as secure.

It will also disable its usage in the device tree to inform the kernel.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

mk/subdir.mk: introduce srcs_ext-y and srcs_ext_base-y

Introduce two new variables srcs_ext-y and srcs_ext_base-y to deal with
compiling source code outside of this git (optee_os.git).

srcs_ext_bas

mk/subdir.mk: introduce srcs_ext-y and srcs_ext_base-y

Introduce two new variables srcs_ext-y and srcs_ext_base-y to deal with
compiling source code outside of this git (optee_os.git).

srcs_ext_base-y assigns the root directory of the external source files
to compile. srcs_ext-y works as srcs-y except that it's relative to the
$(srcs_ext_base-y) directory.

Introduce the per source file variable oname-<file name>-y to override
the default output object file name. This helps to shorten and make a
more sane name for the output object file name when the source file is
outside optee_os source tree, for instance, a third-party library.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

mk: introduce global-incdirs_ext-y

Introduce the global-incdirs_ext-y variable to deal with including
header files from outside of this git (optee_os.git).

Signed-off-by: Jens Wiklander <jens.wikla

mk: introduce global-incdirs_ext-y

Introduce the global-incdirs_ext-y variable to deal with including
header files from outside of this git (optee_os.git).

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

ta_dev_kit.mk: use spec-srcs and spec-out-dir

The commit cfa34d9afb5c ("Add support for compiling in-tree TAs") added
spec-srcs and spec-out-dir for special handling of user_ta_header.c when
compili

ta_dev_kit.mk: use spec-srcs and spec-out-dir

The commit cfa34d9afb5c ("Add support for compiling in-tree TAs") added
spec-srcs and spec-out-dir for special handling of user_ta_header.c when
compiling in-tree TAs.

However, these variables are just as relevant for out-of-tree TAs
compiled via ta/mk/ta_dev_kit.mk. So as a simplification switch to use
spec-srcs and spec-out-dir in that file too.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

mk/subdir.mk: refactor process-subdir-{srcs-y,gensrcs-helper}

Moves the common parts of the two make macros process-subdir-srcs-y and
process-subdir-gensrcs-helper into a new macro, process-file-var

mk/subdir.mk: refactor process-subdir-{srcs-y,gensrcs-helper}

Moves the common parts of the two make macros process-subdir-srcs-y and
process-subdir-gensrcs-helper into a new macro, process-file-vars.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

libmbedtls: mbedtls_config_uta.h: enable SHA-384 and SHA-512 support

Enable SHA-384 and SHA-512 support for user TAs.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne

libmbedtls: mbedtls_config_uta.h: enable SHA-384 and SHA-512 support

Enable SHA-384 and SHA-512 support for user TAs.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

tee_api_types.h: default alignment for TEE_BigIntFMMContext

Remove the custom alignment from TEE_BigIntFMMContext.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Car

tee_api_types.h: default alignment for TEE_BigIntFMMContext

Remove the custom alignment from TEE_BigIntFMMContext.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp2: force CFG_DRIVERS_FIREWALL when supporting RIF controllers

When firewall controllers drivers that implements firewall framework
support are embedded such as RISAB or RIFSC, then CFG_D

plat-stm32mp2: force CFG_DRIVERS_FIREWALL when supporting RIF controllers

When firewall controllers drivers that implements firewall framework
support are embedded such as RISAB or RIFSC, then CFG_DRIVERS_FIREWALL
should be forced enabled.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: move firewall dt-bindings include at SoC level

Firewall controllers are present on every variant of stm32mp25 SoCs.
Therefore, move the inclusion of their dt-bindings at SoC level.

Sign

dts: stm32: move firewall dt-bindings include at SoC level

Firewall controllers are present on every variant of stm32mp25 SoCs.
Therefore, move the inclusion of their dt-bindings at SoC level.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: add RISAB configurations for the stm32mp257f-ev1 platform

Add the internal memory layout and RIF configuration for the
stm32mp257f-ev1 platform.

Signed-off-by: Gatien Chevallier <gatien

dts: stm32: add RISAB configurations for the stm32mp257f-ev1 platform

Add the internal memory layout and RIF configuration for the
stm32mp257f-ev1 platform.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

dts: stm32: add RISAB nodes in the stm32mp251 SoC DT file

Add the RISAB1/2/3/4/5/6 and default enable all of them except for the
RISAB6 that protects the VDERAM.

Signed-off-by: Gatien Chevallier <g

dts: stm32: add RISAB nodes in the stm32mp251 SoC DT file

Add the RISAB1/2/3/4/5/6 and default enable all of them except for the
RISAB6 that protects the VDERAM.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

plat-stm32mp2: default enable RISAB on stm32mp2 platforms

Default enable RISAB driver for platform stm32mp2.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Ca

plat-stm32mp2: default enable RISAB on stm32mp2 platforms

Default enable RISAB driver for platform stm32mp2.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...