Age | Commit message (Collapse) | Author |
|
Changes the name of the registered prng descriptor from "prng_mpa" to
"prng_crypto" to better reflect the source of the prng.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the remaining external source files from tomcrypt src directory.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves remaining exported aes functions to aes.c
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves remaining exported hash functions to hash.c
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the DH wrappers in tee_ltc_provider.c to its own file, dh.c.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the RSA wrappers in tee_ltc_provider.c to its own file, rsa.c.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the ECC wrappers in tee_ltc_provider.c to its own file, ecc.c.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the DSA wrappers in tee_ltc_provider.c to its own file, dsa.c.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses CFG_CRYPTO_RSA, CFG_CRYPTO_DSA, CFG_CRYPTO_DH and CFG_CRYPTO_ECC to
tell if bignum functions needs to be stubbed instead of relying on
_CFG_CRYPTO_WITH_ACIPHER which is about to be removed.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves default assignment of CFG_CORE_MBEDTLS_MPI into mk/config.mk
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves default initialization of CFG_CRYPTOLIB_NAME and CFG_CRYPTOLIB_DIR
to mk/config.mk.
Only assigns default y to CFG_CRYPTO_RSASSA_NA1 in case
CFG_CRYPTOLIB_NAME == tomcrypt.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Links tee.elf with the library archives instead of -llibname in order to
detect multiply defined symbols in several libraries.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Upstream has changed dsa_import() to use inlen instead of MAX_RSA_SIZE.
This is needed when compiling LTC with DSA but without RSA support.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds size of expanded AES encryption key to crypto_aes_expand_enc_key()
and crypto_aes_enc_block() to make the functions more safe to call.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Summer Qin <summer.qin@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Only compile libmpa if libtomcrypt is selected as crypto library and is
configured to use libmpa instead of MPI.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
If the crypto library selected with CFG_CRYPTOLIB_NAME and
CFG_CRYPTOLIB_DIR resides under core it's OK to clear base-prefix.
However, if it can be compiled for user space too we need to keep
base-prefix in order to avoid output conflicts.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds CFG_CRYPTOLIB_NAME_$(CFG_CRYPTOLIB_NAME) := y for easy testing of
which cryptolib currently is in use.
Mbedtls is a bit tricky since it can be compiled either as a support lib
with the bignum routines or as a complete crypto lib.
CFG_CRYPTOLIB_NAME_$(CFG_CRYPTOLIB_NAME) can be used to select optimal
configuration.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the AES-CTS implementation from LTC wrapper to core/crypto.
The AES-CTS implementation can be overridden in a crypto library by
setting CFG_CRYPTO_CTS_FROM_CRYPTOLIB:=y
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Squash merging branch import/mbedtls-2.16.0
9ee2a92de51f ("libmbedtls: compile new files added with 2.16.0")
9b0818d48d29 ("mbedtls: fix memory leak in mpi_miller_rabin()")
2d6644ee0bbe ("libmedtls: mpi_miller_rabin: increase count limit")
d831db4c238a ("libmbedtls: add mbedtls_mpi_init_mempool()")
df0f4886b663 ("libmbedtls: make mbedtls_mpi_mont*() available")
7b0792062b65 ("libmbedtls: refine mbedtls license header")
2616e2d9709f ("mbedtls: configure mbedtls to reach for config")
d686ab1c51b7 ("mbedtls: remove default include/mbedtls/config.h")
50a57cfac892 ("Import mbedtls-2.16.0")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Introduces CFG_TA_ASLR to enable Address Space Layout Randomization of
Trusted Applications. ASLR makes the exploitation of memory corruption
vulnerabilities harder.
The feature is disabled by default except for the configurations I
could test (QEMU and HiKey960).
When CFG_TA_ASLR=y, the stack and subsequent ELF file(s) needed by the
TA are mapped into the user VA space with a random offset comprised
between CFG_TA_ASLR_MIN_OFFSET_PAGES and CFG_TA_ASLR_MAX_OFFSET_PAGES
pages (that is between 0 and 128 pages by default).
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, HiKey960)
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Improve the layout of the TA dump message by using fixed width for
physical and virtual addresses: 0x + 8 or 16 characters, depending on
the address size (32 or 64 bits). This makes the output more
consistent, more readable, and nicer overall.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Export two macros that are useful to print virtual or physical addresses
with the full width required by the native type, that is, 0x + 8
characters when the pointer size is 32 bits, and 0x + 16 characters when
it is 64 bits.
Example:
vaddr_t va = 0x1234;
DMSG("va=0x%0*" PRIxVA, PRIxVA_WIDTH, va);
The above code will print "va=0x00001234" if vaddr_t is 32 bits, and
"va=0x0000000000001234" if vaddr_t is 64 bits.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
There is a possible buffer overflow in base64_dec(). Since the output
buffer size is *blen, the last byte of the buffer is buf[*blen - 1] and
therefore the buffer must not be written to when the current index m is
such that (m >= *blen), not (m > *blen).
Reported-by: Naveen Thenkani <tnaveenmca@gmail.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Until now tee_api_arith_mpi.c assumed that for instance
TEE_BigIntConvertFromOctetString() wouldn't do a
mbedtls_mpi_free(mpi);
mbedtls_mpi_init(mpi);
sequence on the supplied mpi argument. Doing so replaces the special
allocation type MBEDTLS_MPI_ALLOC_TYPE_STATIC with
MBEDTLS_MPI_ALLOC_TYPE_MALLOC. This results in the value of the mpi
argument isn't propagated further to the dest argument of
TEE_BigIntConvertFromOctetString().
With this patch we're instead explicitly copying the value of
mbedtls_mpi to a TEE_BigInt when the value should be returned.
This patch is also needed when upgrading to mbedtls-2.16 or there will
be errors.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds a couple of mbed TLS types to typedefs.checkpatch to avoid the
following warning:
WARNING: Missing a blank line after declarations
#100: FILE: lib/libutee/tee_api_arith_mpi.c:105:
+ const struct bigint_hdr *hdr = (struct bigint_hdr *)bigInt;
+ const mbedtls_mpi_uint *p = (const mbedtls_mpi_uint *)(hdr + 1);
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Aside from reserving the shared memory, also reserve the TZDRAM OP-TEE
memory.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
|
|
If the reserved-memory subnode does not exist, retrieve address-cells
and size-cells from the root node.
The linux kernel checks whether these properties match between the root
and reserved-memory nodes and discards non-matching nodes.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
|
|
Rename the shared reserved memory node from "optee" to "optee_shm".
This should avoid confusion when we introduce the "optee_core" reserved
memory node in later commits.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
|
|
Fix UART1 base address for zcu102, zc1751_dc1, zc1751_dc2 flavors.
More information provided p226 of UG1085 [1].
Link: [1] https://www.xilinx.com/support/documentation/user_guides/ug1085-zynq-ultrascale-trm.pdf
Signed-off-by: Michael Grand <michael.grand.mg@gmail.com>
[jf: move URL to a Link: tag]
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
User TA crash dumps were slightly modified to better align region
numbers. scripts/symbolize.py needs to be updated accordingly.
Fixes: dba5a1eab8af1 ("core: better align output of TA dump with many or big regions")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
|
|
Uses struct crypto_authenc_ops pointer in crypto context for authenc
ciphers (AES-GCM and AES-CCM) as a glue layer instead of a switch(algo)
in each cryto_authenc_*() function.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses struct crypto_cipher_ops pointer in crypto context for ciphers as a
glue layer instead of a switch(algo) in each crypto_cipher_*() function.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses struct crypto_mac_ops pointer in crypto context for MACs as a
glue layer instead of a switch(algo) in each crypto_mac_*() function.
Moves CBC-MAC implementation from LTC wrapper to core/crypto.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Prior to this patch only the prototype and a stub of
crypto_cipher_get_block_size() was available. With this patch replace
the stub with an implementation.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses struct crypto_hash_ops pointer in crypto context for hashes as a
glue layer instead of a switch(algo) in each crypto_hash_*() function.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Add flavor 'ultra96' to platform 'zynqmp'.
Redirect TEE console output to UART1.
Signed-off-by: Michael Grand <michael.grand.mg@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
In tee_fs_init_key_manager(), Secure Storage Key (SSK) is computed as
follow:
SSK = HMAC(HUK, message)
message := concatenate(chip_id, static string)
chip_id is a 32-byte array but some tee_otp_get_die_id() implementation
may provide a smaller chip ID. Initialize the chip_id array to make
sure the remaining bytes do not contain garbage data. Without this
initialization, SSK may be inconsistent across power cycles generating
failures when reading back data from the secure storage.
Signed-off-by: Alexandre Jutras <alexandre.jutras@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Update inline comment and value for the deprecated TA flag
TA_FLAG_REMAP_SUPPORT.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Drivers is embedded upon CFG_STM32_I2C=y.
The driver main API functions are:
stm32_i2c_init() to initialize the device driver,
stm32_i2c_mem_{write|read}() for I2C memory mode transfer,
stm32_i2c_master_{transmit|receive}() for stream transfer.
2 helpers:
stm32_i2c_is_device_ready() checks the hardware I2C link,
stm32_i2c_get_setup_from_fdt() fills the I2C initialization
structure from the content found in the DT.
I2C driver instances do not register themselves to the PM
framework. Bus owner is responsible for calling the
stm32_i2c_{suspend|resume}() APIs when the owner device
executes a PM sequence.
stm32_i2c driver is dual licensed GPL-2.0/BSD-3-Clause.
The conversion algorithm for converting device tree bindings
timing information into STM32 I2C timings configuration
register is shared with other packages (Linux kernel, Arm
Trusted Firmware-A, U-Boot).
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Signed-off-by: Pascal Paillet <p.paillet@st.com>
Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
Signed-off-by: Yann Gautier <yann.gautier@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Default integer division rounds down. Here the interest is
to round to the nearest unsigned integer.
This is inspired from [1].
Link: [1] https://chromium.googlesource.com/chromiumos/platform/ec/+/master/include/util.h
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Commit 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and
USER_MODE") removes the requirement for user TAs to set the flags
TA_FLAG_EXEC_DDR (bit 0) and TA_FLAG_USER_MODE (bit 1), the rationale
being that they are meaningless in the current implementation.
The macros are re-defined to be zero to reflect the fact that they have
no use. But, instead of ignoring the previous values, the TEE core now
requires that bits 0 and 1 must *not* be set. This is a problem because
it needlessly breaks backward compatibility. A TA built against OP-TEE
3.0.0 will not work with 3.1.0 or later:
E/TC:? 0 tee_ta_init_user_ta_session:1040 Invalid TA flag(s) 0x3
This commit changes the acceptable flags mask (TA_FLAGS_MASK) to
include the previous EXEC_DDR and USER_MODE bits, thus restoring
backward compatibility.
Fixes: 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and USER_MODE")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
With the introduction of shared libutee/libutils/libmbedtls etc., it
is not uncommon for a TA to have more than 10 memory regions. When this
happens, the crash dump output is not properly aligned.
Similarly, since there is no width specifier when we print the region
size, misalignments can occur.
This commit makes the output look good for up to 100 regions of up to
16 MiB in size.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
When CFG_ULIBS_SHARED=y (default n), build libutils, libmpa/libmbedtls
and libutee as shared libraries (.so). The static archives (.a) are
still produced. The linker uses shared libraries by default when
present so TAs just need to be re-built to use the shared libraries.
For the time being, in-tree TAs are always linked statically for
practical reasons. Indeed, in-tree TAs (such as ta/avb) are likely
to be used as "early TAs". If such a TA was linked against shared
libraries, then those libraries would need to be installed in the
"early TA" area, too. While this works fine technically, it requires
some more steps in the Makefiles to make sure the proper dependencies
are installed and also it would mean that those libraries take
precedence over the ones potentially installed in the REE FS etc.
In other words, it would raise questions that we do not want nor need
to address now.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
The symbol referenced by a R_ARM_ABS32 or R_AARCH64_ABS64 relocation
may very well be external to the binary being relocated (for example,
defined in a shared library). In this case, the section table index for
the symbol is SHN_UNDEF and we need to perform process-wide symbol
resolution.
This fixes an issue I found when linking a TA against a shared version
of libutee (this configuration is introduced in a later commit). In this
case, ta_head::entry is set to __utee_entry which is in libutee.so,
hence undefined in the TA binary.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Add link flag '--as-needed' to avoid adding dependencies onto shared
libraries that are not actually used. This becomes particularly useful
when we build the base user libraries (libutils, libmpa and libmbedtls) as
shared objects. Without the flag, and because all libraries are passed to
the linker by default, all TAs would need to map all the libraries at
runtime resulting in a waste of memory.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
This commit adds the infrastructure to build libutils, libmpa/
libmbedtls etc. as shared objects (.so).
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Remove useless newline character in few generic debug traces.
Remove argument __func__ from a FMSG trace since already
output by macro FMSG().
Remove error trace from syscall_storage_obj_read() that, prior
this change, output failing error code from storage read()
handler. This is useless and not done for other storage handlers
return code.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Use IMSG() traces when external and embedded DTB are tested.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Change trace message indicating absence of external DTB
from error level to debug level. Implementation and comment
clearly state the configuration is fully legitimate.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
TA source files are compiled with the -fpie GCC flag in order to
generate a Position Independent Executable. This is not suitable to
produce a shared library as introduced by commit f8896d1301fc ("TA dev
kit: add support for creating shared libraries"). -fpic should be used
instead. Here is what the GCC man page has to say on these flags:
-fpic
Generate position-independent code (PIC) suitable for use in a
shared library [...]
-fpie
-fPIE
These options are similar to -fpic and -fPIC, but generated
position independent code can be only linked into executables.
So, it is quite clear that -fpie is wrong for a shared library. It is
not very clear however if -fpic can be used when generating code for an
executable. I think it can, and there is a bug report against the GCC
documentation that would confirm this [1]. Therefore we can simply use
-fpic in all cases. This is quite convenient because we currently make
no difference in the compile flags when we are building an executable,
a static library or a shared library.
The difference between -fpie and -fpic has to do with the kinds of
relocations that the compiler is allowed to emit. I stumbled upon this
issue when experimenting with shared libraries and the code proposed
by Jens to share read-only pages between TAs [2]. In my test case, a
shared library already loaded by one TA, is used by another TA. During
the load phase of the second TA, the TEE core crashed with a data-abort
(write permission fault) when trying to apply an R_ARM_REL32 relocation
to some literal pool data in the .text section of the library. The
whole .text being mapped read-only, there should be no relocation to do
here. And indeed the cause was the wrong flag (-fpie) used when
compiling the shared library.
Link: [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70419
Link: [2] https://github.com/OP-TEE/optee_os/pull/2801
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
CC: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960 32 & 64-bit TA)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org> (stm32mp1 Armv7)
|