| Age | Commit message (Collapse) | Author |
|---|
|
There is a possible buffer overflow in base64_dec(). Since the output
buffer size is *blen, the last byte of the buffer is buf[*blen - 1] and
therefore the buffer must not be written to when the current index m is
such that (m >= *blen), not (m > *blen).
Reported-by: Naveen Thenkani <tnaveenmca@gmail.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Until now tee_api_arith_mpi.c assumed that for instance
TEE_BigIntConvertFromOctetString() wouldn't do a
mbedtls_mpi_free(mpi);
mbedtls_mpi_init(mpi);
sequence on the supplied mpi argument. Doing so replaces the special
allocation type MBEDTLS_MPI_ALLOC_TYPE_STATIC with
MBEDTLS_MPI_ALLOC_TYPE_MALLOC. This results in the value of the mpi
argument isn't propagated further to the dest argument of
TEE_BigIntConvertFromOctetString().
With this patch we're instead explicitly copying the value of
mbedtls_mpi to a TEE_BigInt when the value should be returned.
This patch is also needed when upgrading to mbedtls-2.16 or there will
be errors.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU, GP)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Update inline comment and value for the deprecated TA flag
TA_FLAG_REMAP_SUPPORT.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Commit 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and
USER_MODE") removes the requirement for user TAs to set the flags
TA_FLAG_EXEC_DDR (bit 0) and TA_FLAG_USER_MODE (bit 1), the rationale
being that they are meaningless in the current implementation.
The macros are re-defined to be zero to reflect the fact that they have
no use. But, instead of ignoring the previous values, the TEE core now
requires that bits 0 and 1 must *not* be set. This is a problem because
it needlessly breaks backward compatibility. A TA built against OP-TEE
3.0.0 will not work with 3.1.0 or later:
E/TC:? 0 tee_ta_init_user_ta_session:1040 Invalid TA flag(s) 0x3
This commit changes the acceptable flags mask (TA_FLAGS_MASK) to
include the previous EXEC_DDR and USER_MODE bits, thus restoring
backward compatibility.
Fixes: 387b0ee39b1b ("core: deprecate TA property flags EXEC_DDR and USER_MODE")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Make inline comments and trace messages more consistent by
using PTA as acronym for pseudo TA, rather than using pTA, PTA
and pta at various places.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.
This commit removes buf_compare_ct(). A compatibility wrapper is kept
in <string_ext.h> to avoid knowingly breaking the build of any TA that
may use it.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
TEE_MemCompare() currently calls memcmp() which returns as soon as a
difference is found in the compared buffers. The fact that the
comparison is not constant time for a given buffer size can reveal
information on the buffer content and lead to side-channel attacks.
Although the GlobalPlatform TEE Internal Core API specification says
nothing about this timing aspect, it is unsafe not to propose a constant
time implementation to TAs. A member of the GP specification working
group confirmed in an informal discussion.
Therefore, replace memcmp() with consttime_memcmp() for constant time
comparison. If a TA needs the fastest possible buffer comparison it can
call the C library function memcmp() (from <string.h>), which we provide
in libutils.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Bastien Simondi <bsimondi@netflix.com> [3.2]
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
|
|
The TEE spec says about TEE_OpenPersistentObject():
"If this function fails for any reason, the value pointed to by
object is set to TEE_HANDLE_NULL."
Signed-off-by: Daniel Glöckner <dg@emlix.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Prior to this patch was _TEE_MathAPI_Init() in
lib/libutee/tee_api_arith_mpi.c supplying a data buffer which was only 4
byte aligned while mempool_alloc_pool() requires the alignment of long.
This will work in 32-bit mode, but could lead to alignment problem in
64-bit mode. The same problem can happen with
lib/libutee/tee_api_arith_mpa.c, but so far it has remained hidden.
Incorrect alignment can result in errors like:
E/TA: assertion '!((vaddr_t)data & (POOL_ALIGN - 1))' failed at lib/libutils/ext/mempool.c:134 in mempool_alloc_pool()
This fix introduces MEMPOOL_ALIGN which specifies required alignment of
data supplied to mempool_alloc_pool().
Fixes: 062e3d01c039 ("ta: switch to to mbedtls for bignum")
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v8)
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
mbedtls_mpi_mul_mpi() checks the allocated size of the output number
before starting to multiply the numbers. It makes a conservative guess
by requiring the result to be at least as large as the sum of the sizes
of the input numbers. For instance, if A fits in one "limb" and B fits
in two, then the result is expected to have nblimbs = 3 at least.
This is sometimes too restrictive. Consider A = 1 (can be represented
with nblimbs == 1 32-bit words) and B = 0x0FFFFFFFFFFFFFFF (fits in a
bignum with nblimbs == 2 32-bit words). A * B is equal to B and fits
in 2 limbs, but the current code requires 3.
This patch fixes the problem by allocating a big enough temporary
result.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
This pseudo TA enumerates OP-TEE pseudo TAs which can act as devices/
services for Linux TEE bus driver. For differentiation of such devices,
added TA_FLAG_DEVICE_ENUM optional flag in pseudo TA header.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds tee_api_arith_mpi.c wrapper providing the TEE Arithmetical API around
the big (mpi) routines from mbedtls.
CFG_TA_MBEDTLS_MPI=y (default y) enables the usage of the bignum routines
in libutee.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Renames tee_api_arith.c to tee_api_arith_mpa.c to make room for using
other bignum implementations.
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
There is probably no-one using the Secure Element API. We have never heard
anyone asking questions about it, have no way to test it and we believe
it is not even working right now. Therefore, remove it.
- The reserved syscalls are still present, but return
TEE_ERROR_NOT_SUPPORTED
- The TEE_SE* functions (GlobalPlatform TEE Secure Element API,
GPD_SPE_024) are removed from libutee.a and the header file
tee_internal_se_api.h is removed as well
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Code cleanup, no functional change. This commit avoids the duplication of
the -pg flag in the library makefiles.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Add TEE Core Internal API extension TEE_ALG_RSASSA_PKCS1_V1_5 to
sign/verify pre-hashed PKCS#1 v1.5 EMSA without ASN.1 around the hash.
This relies on libtomcrypt LTC_PKCS_1_V1_5_NA1. The extension can be
turned on with CFG_CRYPTO_RSASSA_NA1.
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
|
|
This commit introduces an algorithm that may be used to detect improper
usage of locks at runtime. It can detect two kinds errors:
1. A thread tries to release a lock it does not own,
2. A thread tries to aquire a lock and the operation could *potentially*
result in a deadlock.
The potential deadlock detection assumes that the code adheres to a strict
locking hierarchy, in other word, that there is a partial ordering on the
locks so that there can be no situation where circular waits can occur. To
put things simply, any two locks should be acquired in the same order in
the same thread. This addresses the following case:
[Thread #1] [Thread #2]
lock(A)
lock(B)
lock(B)
lock(A) <-- deadlock!
...
The algorithm builds the lock hierarchy dynamically and reports as soon as
a violation is detected.
The interface is made of two functions: lockdep_lock_acquire() and
lockdep_lock_release(), which are meant to be introduced in the
implementation of the actual lock objects. The "acquire" hook tells the
algorithm that a particular lock is about to be requested by a particular
thread, while the "release" hook is meant to be called before the lock is
actually released. If an error is detected, debugging information is sent
to the console, and panic() is called. The debugging information includes
the lock cycle that was detected (in the above example, {A, B}), as well
as the call stacks at the points where the locks were acquired.
The good thing with such an instrumentation of the locking code is that
there is no need to wait for an actual deadlock to occur in order to
detect potential problems. For instance, the timing of execution in the
above example could be different but the problem would still be detected:
[Thread #1] [Thread #2]
lock(A)
lock(B)
unlock(B)
unlock(A)
lock(B)
lock(A) <-- error!
A pseudo-TA is added for testing (pta/core_lockdep_tests.c).
This code is based on two sources:
- A presentation called "Dl-Check: dynamic potential deadlock detection
tool for Java programs" [1], although the somewhat complex MNR algorithm
for topological ordering of a DAG was not used;
- A depth-first search algorithm [2] was used instead.
Link: [1] https://www.slideshare.net/IosifItkin/tmpa2017-dlcheck-dynamic-potential-deadlock-detection-tool-for-java-programs
Link: [2] https://en.wikipedia.org/wiki/Topological_sorting#Depth-first_search
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Bitwise OR of unsigned int and a signed char is machine dependent and
could lead to invalid base64 encoding.
This commit makes it use unsigned char instead.
Signed-off-by: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses inttypes.h over stdint.h on some .h files to be nice to U-boot.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
In case if timestamp buffer is allocated in userspace and new register
user memory API is used for its registering in OP-TEE (introduced in
optee_client commit 27888d73d156 ("tee_client_api: register user memory")),
there is no possibility to keep this mapping permanent among different
TEEC_InvokeCommand invocations, as all SHM are automatically unmapped from
OP-TEE VA space after TEEC_InvokeCommand is handled by OP-TEE.
Timestamp buffer is now allocated with thread_rpc_alloc_global_payload().
Fixes: https://github.com/OP-TEE/optee_os/issues/1979
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
|
|
MPA is used in two configurations, either in kernel mode or in user mode.
In kernel mode random is always drawn with crypto_rng_read() and in
user mode utee_cryp_random_number_generate() is used instead.
This patch makes the code easier to follow by replacing the call via a
function pointer to a normal function call instead.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Keepalive condition check should involve single instance flag too, since
the keepalive flag is meaningless if the TA is not single instance.
The same fix was done earlier in the core by commit f9a64f12b542 ("core:
fix the keepalive condition in close session").
Fixes: b7ea03ff2963 ("libutee: fix TA_CreateEntryPoint() and TA_DestroyEntryPoint()")
Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Add system pTA, which provides misc. auxiliary services, extending
existing GlobalPlatform Core API.
Add a call for seeding entropy to the default RNG pool.
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
|
|
Adds rand() by declaring it in stdlib.h where it's expected to be found.
Implementation is provided in libutee since it depends on
TEE_GenerateRandom().
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are owned by either only STMicroelectronics or only both
Linaro and STMicroelectronics.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Prior to this patch TEE_Malloc(), TEE_Realloc() and TEE_Free() were using
two extra layers implemented on top of the well known malloc(),
realloc(), calloc() and free() functions. With this patch the extra layers
are skipped.
When compiled for user TAs realloc() clears all memory that otherwise
would be uninitialized memory since it's required by the spec [1] if
TEE_Malloc() is called with the hint TEE_MALLOC_FILL_ZERO. Since that's
the only recognized hint in the spec realloc() assumes that it's always
needed.
[1] GP TEE Internal Core API Specification v1.1
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Prior to this was TEE_Realloc() declared as:
void *TEE_Realloc(const void *buffer, uint32_t newSize);
This does not make sense as the argument buffer can and will be changed
as a result of calling this function. Instead fix the declaration to be:
void *TEE_Realloc(void *buffer, uint32_t newSize);
This is also more in line with realloc().
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses the Use mempool API from libutils for bignum allocations.
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
With this change, a single call to TEE_AEEncryptFinal() checks both
the output data buffer size and the tag buffer size and return
TEE_ERROR_SHORT_BUFFER with both expected size if at least one
of the provided buffer is too short.
Before this change caller may need to call twice TEE_AEEncryptFinal()
in the right order to get the output buffers sizes, first for the
output data size then for the tag data size.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
TA property flags TA_FLAG_EXEC_DDR and TA_FLAG_USER_MODE were
not really useful in the OP-TEE and now they are meaningless.
Define the mask of flags a TA may pretend to and assert loaded
TAs do not expect flags set outside of the defined supported bit
flags.
Fix gmon.h against duplicate round macros.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Make the size of big numbers in libutee configurable. This controls
the size of the big numbers that can be manipulated through the TEE
Internal Core API (Arithmetical functions).
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Add a pseudo-TA to convert a Secure Data Path virtual address to
physical address. May only be called by a TA that has
TA_FLAG_SECURE_DATA_PATH.
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Edison Ai <edison.ai@arm.com> (Juno)
Signed-off-by: Edison Ai <edison.ai@arm.com>
|
|
The text 'All rights reserved' is useless [1]. The Free Software
Foundation's REUSE Initiative best practices document [2] does not
contain these words. Therefore, we can safely remove the text from the
files that are owned by Linaro.
Generated by:
spdxify.py --linaro-only --strip-arr optee_os/
Link: [1] https://en.wikipedia.org/wiki/All_rights_reserved
Link: [2] https://reuse.software/practices/
Link: [3] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Now that we have added SPDX identifiers, we can safely remove the
verbose license text from the files that are owned by Linaro.
Generated by [1]:
spdxify.py --linaro-only --strip-license-text optee_os/
Link: [1] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Adds one SPDX-License-Identifier line [1] to each source files that
contains license text.
Generated by [2]:
spdxify.py --add-spdx optee_os/
The scancode tool [3] was used to double check the license matching
code in the Python script. All the licenses detected by scancode are
either detected by spdxify.py, or have no SPDX identifier, or are false
matches.
Link: [1] https://spdx.org/licenses/
Link: [2] https://github.com/jforissier/misc/blob/f7b56c8/spdxify.py
Link: [3] https://github.com/nexB/scancode-toolkit
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
|
|
Some files were committed with an SPDX license identifier before the
rules were defined [1]. Reformat them accordingly.
[1] documentation/copyright_and_license_headers.rst
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
|
|
In 'ta_props' in ta/arch/arm/user_ta_header.c properties tagged as
USER_TA_PROP_TYPE_BOOL are assigned a pointer to a bool, but is in the
rest of the code handled as if it was a pointer to a uint32_t. This
works as long as a bool is four bytes, with certain compilers the size
of a `bool` is 1 instead leading to errors.
TA properties can be supplied via the define
TA_CURRENT_TA_EXT_PROPERTIES. The pattern used in
ta/arch/arm/user_ta_header.c is likely copied when assigning properties
via TA_CURRENT_TA_EXT_PROPERTIES.
This patch is fixing the assumption that the size of a `bool` is the
same as the size of a `uint32_t` by changing all handling of
USER_TA_PROP_TYPE_BOOL to base it on the type `bool` instead of
`uint32_t`.
Reviewed-by: Jianhui Li <airbak.li@hisilicon.com>
Tested by: Jianhui Li <airbak.li@hisilicon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Fixes issues observed with keep alive single instance TAs:
- TA_CreateEntryPoint() must only be called once,
- TA_DestroyEntryPoint() must not be called when the last session is
closed, because the instance is still alive.
While we're at it, simplify the code a bit by not using a separate
variable (ta_ref_count) to track whether we have sessions or not.
Simply use TAILQ_EMPTY() on the session queue instead.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Kevin Peng <kevinp@marvell.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Adds a pseudo TA for management of Trusted Applications and Security
Domains. The pseudo TA only provides a minimal interface, a more
advanced interface is supposed to be provided by a user TA using this
pseudo TA. Such a TA could for instance implement Global Platforms TEE
Management Framework or OTrP.
The management TA currently only supports installing bootstrap packaged
TAs in secure storage.
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds test functions PTA_INVOKE_TESTS_CMD_MUTEX the invoke tests PTA
(PTA_INVOKE_TESTS_UUID). The PTA_INVOKE_TESTS_CMD_MUTEX function is used
to test in particular read and write mutex, but also mutex over all.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Introduces TA_FLAG_CONCURRENT valid for pseudo TAs only which allows
concurrent execution of the TA.
With this change a pseudo TA configured with TA_FLAG_CONCURRENT would
accept multiple sessions where each can be used concurrently with the
other sessions.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
calloc() takes number of entries as first argument, and size of entry
as a second. There was several places, where argument order was
reversed.
Signed-off-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Adds support for dumping the call stack of a user-mode TA when it
panics. Stack unwinding happens in kernel mode by re-using
abort_print_error() in core/arch/arm/kernel/abort.c. Like for abort
dumps, the helper script scripts/symbolize.py may be used to obtain
source-level information.
This feature is enabled by default. Set CFG_UNWIND=n to disable it
(or CFG_TEE_CORE_DEBUG=n).
In libutee, the utee_panic() syscall wrapper is renamed __utee_panic()
and now takes an additional parameters: a stack pointer, in addition to
the panic code. utee_panic() is written in assembly and pushes some
registers onto the stack before calling __utee_panic(). When it is time
to return from syscall_panic(), tee_svc_sys_return_helper() uses the
stack pointer to get the information needed to unwind the TA stack.
A struct abort_info is created and abort_print_error() is called.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey 32/64)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMUv8)
|
|
It is currently not possible to unwind a call stack from within a
syscall wrapper, that is the utee_xxx() functions such as utee_panic()
for instance. That is because the assembler macro that defines the
utee_ functions lacks the proper .fnstart/.save/.fnend pseudo-ops.
Add them.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Removes all the TUI-related code from libutee (lib/libutee/tui), as
well as its dependencies: lib/libpng and lib/libzlib. Two reasons for
this:
1. This is far from being a complete and testable TUI implementation.
In other words, it is dead code, more or less.
2. lib/libzlib (version 1.2.8) contains several CVE vulnerabilities.
Even if the code is not used, it may trigger some code analysis tools
and is a problem for some projects.
Reported-by: Jianhui Li <airbak.li@hisilicon.com>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
puts() was recently modified [1] to always add a trailing newline (\n).
This change has broken printf() which uses puts() internally.
Fix the issue by calling trace_ext_puts() instead.
Fixes: 6246cc9d957c ("libutee: puts(): add trailing newline")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
puts() should print the supplied string and a trailing newline. Fix it
accordingly.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Our implementation of printf() does not comply with the standards,
because it adds a prefix to the output and may print truncation
characters. By doing so it becomes inconsistent with puts(). It is a
problem because the compiler has the ability to perform optimizations
and, in some cases, may invoke puts() instead of printf().
Therefore, remove any output that is not strictly specified in the
printf() parameters.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
