Age | Commit message (Collapse) | Author |
|
When a keep alive TA instance panics, it continues to exist and
blocks all further use of the TA until the next reboot of the system.
Moreover, when a new session is trying to be created for
the panicked TA (while another session to that TA is still opened),
the system hangs.
This change releases panicked TA context and clears all references to
the released context when the TA panics regardless the TA properties.
This allows keep alive TA instances to be created back after they have
panicked without needing to reboot OP-TEE core.
Sessions on panicked TAs have to be closed by the client by calling
the proper API when session client is scheduled back.
Signed-off-by: Ovidiu Mihalachi <ovidiu_mihalachi@mentor.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Change is_user_ta_ctx() to support NULL context reference. For such
references the function now returns boolean value false. This allows
caller to nicely abort their sequence when the context reference
is already released from the session instance. Note that caller shall
not assume a context refer to a PTA when is_user_ta_ctx() return
false, it shall call is_pseudo_ta_ctx().
A side effect is that few test on reference and function return value
can be simplified.
This change also ensures TA dump_state() function does not crash when
called provides a null context reference.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Replace type uintptr_t with type vaddr_t when applicable for consistency
with other resources.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
stm32_uart instance get related pins configuration
from device tree content.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
stm32_uart instance registers as secure/non-secure
resources according to device tree content.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Default enable CFG_STM32_I2C. CFG_STM32_I2C=y mandates embedded device
tree support.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
I2C4 and I2C6 may be assigned to either secure or non-secure worlds
during core initialization. Even when assigned to the non-secure
world core may access the bus during sequences where non-secure world
cannot execute as during atomic low power transition sequences.
This change corrects the missing mapping of I2C4 and I2C6 IO memory
with non-secure access attributes.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Move definition of I2C standard speeds configuration means from driver
source file to its header file. This change allows bus owners to use
appropriate value for bus configuration.
Exposes struct i2c_speed_e and enum i2c_speed_e
This change fixes the driver API as enum i2c_speed_e is expected by
the API.
Fixes: b844655c9519 ("stm32_i2c: driver for STM32 I2C bus")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
When parsing device tree nodes, skip non matching GPIO banks rather
than panicking straight. Function ckeck_gpio_bank() already panics
if not finding a matching GPIO bank node.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Fix timeout detection in i2c_wait_stop().
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Correct missing local variable in stm32_i2c_get_setup_from_fdt().
Fixes: c75303f777b7 ("stm32_i2c: handle pinctrl")
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Sort stm32_* drivers list in alphabetical ordering.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Removes the now obsolete CFG_DYN_SHM_CAP. CFG_CORE_DYN_SHM should be
used instead to enable/disable support for dynamic shared memory.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Introduces CFG_CORE_RESERVED_SHM which if set to y enables reserved shared
memory, else disables support for reserved shared memory.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Introduces CFG_CORE_DYN_SHM which if set to y enables dynamic shared
memory, else disables support for dynamic shared memory. In contrast
with CFG_DYN_SHM_CAP it actually removes the support instead of just
omit reporting it.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Changes the default weak tee_otp_get_die_id() implementation to use
huk_subkey_derive() to derive a unique die ID based on the hardware
unique key.
Note that the SSK derivation retains backwards compatibility if
CFG_CORE_HUK_SUBKEY_COMPAT is set to 'y' and tee_otp_get_die_id() wasn't
replaced with a platform specific implementation.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
tee_rpmb_key_gen() uses huk_subkey_derive() to derive the RPMB instead
of MAC:ing etc directly.
Note that this is only backwards compatible if
CFG_CORE_HUK_SUBKEY_COMPAT=y.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
tee_fs_init_key_manager() uses huk_subkey_derive() to derive the SSK
instead of MAC:ing etc directly.
Note that this is only backwards compatible if
CFG_CORE_HUK_SUBKEY_COMPAT=y.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds CFG_CORE_HUK_SUBKEY_COMPAT which if set to 'y' makes
huk_subkey_derive() produce RPMB and SSK keys identical to the legacy
code.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
The hardware unique key should preferably only be used to generate other
keys. This is encouraged with huk_subkey_derive() which is used to
derive a subkey from the hardware unique key.
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
mutex::owner_id was used for debugging purposes only.
Since commit 8aff6c039ee5 ("core: remove thread_{add,rem}_mutex()"), it is
never set to a valid thread ID anymore. Let's just remove the field.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
UART2 is console interface provided on the 40-pin Low Speed
Connector in addition to the default UART3.
Reviewed-by: Victor Chong <victor.chong@linaro.org>
Signed-off-by: Michalis Pappas <mpappas@fastmail.fm>
|
|
If any error is encountered when the TEE core attempts to load a TA from
TA storage, the next storage is tried and so on until the TA is
successfully loaded or there is no more storage to try. In this case, a
generic error code (TEE_ERROR_ITEM_NOT_FOUND) is returned to the caller
of load_elf() and ultimately to the client. This is not super useful,
especially when debug traces are disabled, because the user has no way
to differentiate a true "not found" situation (which might be a
configuration or deployement issue) from an issue with the TA file
itself or an out-of-memory condition etc.
This commit changes the return code of load_elf() to better reflect the
errors. When load_elf_from_store() returns TEE_ERROR_ITEM_NOT_FOUND or
TEE_ERROR_STORAGE_NOT_AVAILABLE, the next storage is tried.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
low level driver for Broadcom IPROC GPIO controller.
Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Victor Chong <victor.chong@linaro.org>
|
|
-add more device ranges and definitions.
-fix dynamic shm api.
-cleanup plaform def.
-enable PL022 SPI, bcm HWRNG and bcm SOTP driver.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
|
|
Under very rare timing circumstances, a data corruption might occur on
a dirty cache line that is evicted from the L1 Data Cache due to another
cache line being entirely written.
Configurations affected:
This erratum affects configurations with either:
- One processor if the ACP is present
- Two or more processors
This erratum can be worked round by setting bit[22] of the undocumented
Diagnostic Control Register to 1. This register is encoded as
CP15 c15 0 c0 1. The bit can be written in Secure state only, with the
following.
Read/Modify/Write code sequence:
MRC p15,0,rt,c15,c0,1
ORR rt,rt,#0x00400000
MCR p15,0,rt,c15,c0,1
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
|
|
Tune ACTLR. To SLL, the value is 0xE at runtime.
To others, the value should be 0x4F at runtime.
Bit3 will be enabled when enable L2.
The SMP bit for i.MX6SLL needs to be make ldrex/strex
instruction work properly.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
|
|
The default value of L1PCTL field in ACTLR is 0x3, which is
"3 outstanding pre-fetches permitted", the value should not
be override with 0 to decrease the performance.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
|
|
Fixes the preallocation to make room for the actual content also in
crypto_bignum_allocate() by calling mbedtls_mpi_grow().
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
This call should be used to query OP-TEE about number of threads
(basically, CFG_NUM_THREADS build option).
It is introduced after discussion at [1] about possibility to read
number of supported threads. It is needed for XEN OP-TEE mediator to
mitigate possible DoS from virtual guest. If XEN knows number of
OP-TEE threads, it can limit number of standard calls from the guest
on own side.
Also, it can be used by optee client driver, to ratelimit number of calls
from its side.
Link: [1] https://lists.xenproject.org/archives/html/xen-devel/2019-01/msg01460.html
Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Add KEEP_PAGER() for pl022_ops and pl061_ops structs.
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
read16() was replaced with io_read8() instead of io_read16() so fix it.
Fixes: 918bb3a5 ("core: upgrade from write32() to io_write32() and friends")
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
If the expected number of packets are not received during the
transmit+receive cycle, just receive the remaining data after the
cycle if the Receive FIFO (SSPSR_RNE) is not empty, without depending
on the busy (SSPSR_BSY) flag, else we might miss reading some data as
indicated in [1].
LINK: [1] https://github.com/OP-TEE/optee_os/issues/1461#issuecomment-306156463
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
After truncating a persistent object, update dataSize in the
corresponding TEE_ObjectInfo structure.
Signed-off-by: Christopher Tam <godtamit@google.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)
|
|
When OP-TEE is build with CFG_WITH_LPAE=y, the things stored in the
.nozi section do not need to be aligned on more than 4 KiB. Only the
non-LPAE case requires 16 KiB alignment for the L1 page table.
Use an #ifdef to minimize the extra space between .heap1 and .nozi,
thus making the heap size closer to what is requested by
CFG_CORE_HEAP_SIZE. This can be useful when trying to minimize the
size of the TEE core binary, which could otherwise be bigger than
necessary by as much as 12 KiB.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Symbols defined inside output sections are relative to the section
start. Therefore, when we want to check the actual address, we need
to apply the ABSOLUTE() builtin function to the symbol.
Note that symbols defined outside output sections are absolute by
default, and therefore need not be treated the same.
kern.ld.S has two incorrect assertions which can never fail, because
the value that is checked is in fact 0 (since we are at the beginning
of a section in both cases).
Fix the code by adding the missing ABSOLUTE().
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Use the generic RAM layout to configure the TZC380 according to the
device configuration.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Peng Fan <peng.fan@nxp.com>
|
|
The tzc_auto_configure() function takes an address, a size, the attribute
and a region as arguments. It calculates the fitting tzc380 region
configuration and applies it to the controller.
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
The TZC380 IP has an action configuration which defines the action taken
if a region is accessed with the wrong permissions.
Devices do not have to set the action register explicitly, add a
function to retrieve the default configuration.
Signed-off-by: Rouven Czerwinski <rouven@czerwinskis.de>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
low level driver for Broadcom SOTP controller.
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Rahul Gupta <rahul.gupta@broadcom.com>
Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
|
|
low level driver for Broadcom random number generator IP.
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Bharat Kumar Reddy Gooty <bharat.gooty@broadcom.com>
Signed-off-by: Sandeep Tripathy <sandeep.tripathy@broadcom.com>
|
|
plat-rpi3 have quite standard memory layout, so there is no sense
to maintain separate configuration if it possible to use generic
one.
Signed-off-by: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
|
|
Set secure hardening for the GPIOZ pins according to their
peripheral registration.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
With this change, platform configures the ETZPC firewall
according to shared peripheral being assigned to either the
secure or the non-secure world.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
This change add a platform consistency test between shared
resource registering and SoC RCC hardening.
When secure resources are registered, RCC secure hardening
must be enabled unless what secure world cannot guaranty
the resource reliability.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Add API function stm32mp_register_clock_parents_secure().
The function registers as secure the parent clock(s) of the
target clock reference. This API is used by shared_resources.c
when a clock is registered as secure so that its dependencies
are also registered as secure.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
This change implements a driver for the stm32mp1 resources that may
be assigned to either secure or non-secure worlds upon the platform
configuration.
Other drivers shall register their resources (when applicable) using
the API functions stm32mp_register_{secure|non_secure}_periph*():
- stm32mp_register_*_periph() registers a resource from its
platform ID.
- stm32mp_register_*_periph_iomem() registers a resource from its
IOMEM base address.
- stm32mp_register_*_periph_gpio() registers a resource from its
GPIO reference, bank and position.
Shared resource driver exports some APIs to query a resource
registration state, stm32mp_periph_is_*(),
stm32mp_gpio_bank_is_*(), stm32mp_clock_is_*().
The driver saves the peripheral assignation. The API does not
allow peripherals to change state at runtime. Moverover, to
prevent testing a resource status before it is registered,
the first query on a resource state locks further registering.
Later attempt to register a peripheral will panic the core.
Resources are either secure on non-secure but clock that maybe
shared in which case it will be assigned to the secure world but
a platform service will allow non-secure to access the resource
(i.e. enable/disable the clock). Note such service is out of the
scope of this change, yet this explains API stm32mp_clock_is_shared().
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Nicolas Le Bayon <nicolas.le.bayon@st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Local function ckeck_gpio_bank() panics if expected conditions
are not met. This change corrects inline comment that state
the function returns a error code.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Get pinctrl support from stm32_gpio.h into STM32 I2C driver.
When device tree content defines pins related to an I2C interface,
the I2C driver saves the pins configuration instances and set the
registered pins in the expected power mode at runtime.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Swap RCC_BASE and PWR_BASE mapping registering for a nice alpha
ordering of the mapping definitions.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|