- OP-TEE - lists.trustedfirmware.org

by Gabor Toth

Hi Guys, I am working on enabling BTI (and PAC) in trusted-services and I have a question about the topic. If BTI is disabled in OPTEE, but someone tries to load an SP which was compiled with BTI (contains the related gnu note property) it will be successful. This seems to be a security rish and I am thinking of either panicking or at least sending an error message to remind the user that the requested protection will not be enabled. As I know there are common parts between TA-s and SP-s loaded by ldelf so I am not sure whether panicking in this scenario will result in any problems or not. What do you think of this proposal? Do you know of any reasons why BTI protected SP-s should be loadable by BTI disabled OPTEE? Thanks in advance! Gábor

5 months

2
7
0 0

[PATCH v7 0/5] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from version V6: ------------------------------------------ - Fix kernel robot build report on in tee_rproc_find_loaded_rsc_table() inline default definition. Main updates from version V5[1][2]: ------------------------------------------ 1) Rework resource table management - Rework tee_rproc_parse_fw to temporary map the resource table address to create a cached_table (similar to what is done in rproc_elf_load_rsc_table()). - Rename tee_rproc_get_loaded_rsc_table to tee_rproc_find_loaded_rsc_table - Introduce rproc_pa_to_va() allowing to translate the resource table physical address to virtual address based on remoteproc carveouts. 2) Merge the 2 "st,stm32-rproc.yaml" bindings patch in one As the st,rproc-id" is linked to the introduction of the "st,stm32mp1-m4-tee" compatible, merge following patches to address Krzysztof concern. - [PATCH v5 2/7] dt-bindings: remoteproc: Add compatibility for TEE support - [PATCH v5 3/7] dt-bindings: remoteproc: Add processor identifier property More details on updates are listed in commits messages. [1] https://lore.kernel.org/lkml/Zlil4YSjHxb0FRgf@p14s/T/ [2] https://lore.kernel.org/lkml/20240521122458.3517054-1-arnaud.pouliquen@foss… base-commit: 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0 Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact.the user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (5): remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Add TEE support dt-bindings: remoteproc: Add compatibility for TEE support remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 ++- drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 74 ++- drivers/remoteproc/stm32_rproc.c | 147 ++++-- drivers/remoteproc/tee_remoteproc.c | 451 ++++++++++++++++++ include/linux/remoteproc.h | 7 + include/linux/tee_remoteproc.h | 100 ++++ 8 files changed, 802 insertions(+), 46 deletions(-) create mode 100644 drivers/remoteproc/tee_remoteproc.c create mode 100644 include/linux/tee_remoteproc.h base-commit: 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0 -- 2.25.1

5 months

3
10
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting June 25

by Jens Wiklander

Hi, Next week on Tuesday, it's time for another LOC monthly meeting. For time and connection details see the calendar at https://www.trustedfirmware.org/meetings/ We discussed fTPM last time with some actions (see notes at http://bit.ly/loc-notes): - Jan to get approval for sharing code using the new crypto API We have an upcoming OP-TEE release, 4.3.0, July 12th. Any other topics? Cheers, Jens

5 months

1
0
0 0

[PATCH v7 0/4] Replay Protected Memory Block (RPMB) subsystem

by Jens Wiklander

Hi, This patch set introduces a new RPMB subsystem, based on patches from [1], [2], and [3]. The RPMB subsystem aims at providing access to RPMB partitions to other kernel drivers, in particular the OP-TEE driver. A new user space ABI isn't needed, we can instead continue using the already present ABI when writing the RPMB key during production. I've added and removed things to keep only what is needed by the OP-TEE driver. Since the posting of [3], there has been major changes in the MMC subsystem so "mmc: block: register RPMB partition with the RPMB subsystem" is in practice completely rewritten. With this OP-TEE can access RPMB during early boot instead of having to wait for user space to become available as in the current design [4]. This will benefit the efi variables [5] since we won't rely on userspace as well as some TPM issues [6] that were solved. The OP-TEE driver finds the correct RPMB device to interact with by iterating over available devices until one is found with a programmed authentication matching the one OP-TEE is using. This enables coexisting users of other RPMBs since the owner can be determined by who knows the authentication key. The corresponding secure world OP-TEE patches are available at [7]. I've put myself as a maintainer for the RPMB subsystem as I have an interest in the OP-TEE driver to keep this in good shape. However, if you'd rather see someone else taking the maintainership that's fine too. I'll help keep the subsystem updated regardless. [1] https://lore.kernel.org/lkml/20230722014037.42647-1-shyamsaini@linux.micros… [2] https://lore.kernel.org/lkml/20220405093759.1126835-2-alex.bennee@linaro.or… [3] https://lore.kernel.org/linux-mmc/1478548394-8184-2-git-send-email-tomas.wi… [4] https://optee.readthedocs.io/en/latest/architecture/secure_storage.html#rpm… [5] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… [6] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… [7] https://github.com/jenswi-linaro/optee_os/tree/rpmb_probe_v7 Thanks, Jens Changes since v6: * Add Tested-by: Manuel Traut <manut(a)mecka.net> provided for the v6 * Add a new patch "tee: add tee_device_set_dev_groups()" needed later in the patch set * Reintroduce the rpmb_class as requested by Greg, this affects the patches "rpmb: add Replay Protected Memory Block (RPMB) subsystem" and "optee: probe RPMB device using RPMB subsystem" * "rpmb: add Replay Protected Memory Block (RPMB) subsystem": - rpmb_interface_{,un}register() are now based on class_interface_{,un}register() - Embed a separate device in struct rpmb_dev for life cycle management etc * "optee: probe RPMB device using RPMB subsystem" - Add an internal blocking_notifier to deal with the struct class_interface callback - Add a rpmb_routing_model variable in sysfs to help integration with systemd, requested by Mikko Rapeli - Add an RPMB probe capability flag in the ABI shared with the secure world, both SMC and FF-A ABI, needed to support the rpmb_routing_model variable - optee_rpc_cmd() is strict whether an RPMB RPC request should be forwarded to tee-supplicant or routed via the RPMB subsystem, depending on the reported RPMB routing model Changes since v5: Manuel Traut reported and investigated an error on an i.MX8MM, the root cause was identified as insufficient alignment on frames sent to the RPMB device. Fixed in the OP-TEE driver as described below. * "rpmb: add Replay Protected Memory Block (RPMB) subsystem" - Adding a missing EXPORT_SYMBOL_GPL() * "optee: probe RPMB device using RPMB subsystem" - Replacing the old OPTEE_RPC_CMD_RPMB ABI with OPTEE_RPC_CMD_RPMB_FRAMES to get rid of the small header struct rpmb_req (now removed) causing the problem. - Matching changes on the secure side + support for re-initializing RPMB in case a boot stage has used RPMB, the latter also reported by Manuel Traut. Changes since v4: * "rpmb: add Replay Protected Memory Block (RPMB) subsystem" - Describing struct rpmb_descr as RPMB description instead of descriptor * "mmc: block: register RPMB partition with the RPMB subsystem" - Addressing review comments - Adding more comments for struct rpmb_frame - Fixing assignment of reliable_wr_count and capacity in mmc_blk_rpmb_add() * "optee: probe RPMB device using RPMB subsystem" - Updating struct rpmb_dev_info to match changes in "rpmb: add Replay Protected Memory Block (RPMB) subsystem" Changes since v3: * Move struct rpmb_frame into the MMC driver since the format of the RPMB frames depend on the implementation, one format for eMMC, another for UFS, and so on * "rpmb: add Replay Protected Memory Block (RPMB) subsystem" - Adding Reviewed-by: Linus Walleij <linus.walleij(a)linaro.org> - Adding more description of the API functions - Removing the set_dev_info() op from struct rpmb_ops, the needed information is supplied in the arguments to rpmb_dev_register() instead. - Getting rid of struct rpmb_ops since only the route_frames() op was remaining, store that op directly in struct rpmb_dev - Changed rpmb_interface_register() and rpmb_interface_unregister() to use notifier_block instead of implementing the same thing ourselves * "mmc: block: register RPMB partition with the RPMB subsystem" - Moving the call to rpmb_dev_register() to be done at the end of mmc_blk_probe() when the device is fully available * "optee: probe RPMB device using RPMB subsystem" - Use IS_REACHABLE(CONFIG_RPMB) to determine if the RPMB subsystem is available - Translate TEE_ERROR_STORAGE_NOT_AVAILABLE if encountered in get_devices() to recognize the error in optee_rpmb_scan() - Simplified optee_rpmb_scan() and optee_rpmb_intf_rdev() Changes since v2: * "rpmb: add Replay Protected Memory Block (RPMB) subsystem" - Fixing documentation issues - Adding a "depends on MMC" in the Kconfig - Removed the class-device and the embedded device, struct rpmb_dev now relies on the parent device for reference counting as requested - Removed the now unneeded rpmb_ops get_resources() and put_resources() since references are already taken in mmc_blk_alloc_rpmb_part() before rpmb_dev_register() is called - Added rpmb_interface_{,un}register() now that class_interface_{,un}register() can't be used ay longer * "mmc: block: register RPMB partition with the RPMB subsystem" - Adding the missing error cleanup in alloc_idata() - Taking the needed reference to md->disk in mmc_blk_alloc_rpmb_part() instead of in mmc_rpmb_chrdev_open() and rpmb_op_mmc_get_resources() * "optee: probe RPMB device using RPMB subsystem" - Registering to get a notification when an RPMB device comes online - Probes for RPMB devices each time an RPMB device comes online, until a usable device is found - When a usable RPMB device is found, call optee_enumerate_devices(PTA_CMD_GET_DEVICES_RPMB) - Pass type of rpmb in return value from OPTEE_RPC_CMD_RPMB_PROBE_NEXT Changes since Shyam's RFC: * Removed the remaining leftover rpmb_cdev_*() function calls * Refactored the struct rpmb_ops with all the previous ops replaced, in some sense closer to [3] with the route_frames() op * Added rpmb_route_frames() * Added struct rpmb_frame, enum rpmb_op_result, and enum rpmb_type from [3] * Removed all functions not needed in the OP-TEE use case * Added "mmc: block: register RPMB partition with the RPMB subsystem", based on the commit with the same name in [3] * Added "optee: probe RPMB device using RPMB subsystem" for integration with OP-TEE * Moved the RPMB driver into drivers/misc/rpmb-core.c * Added my name to MODULE_AUTHOR() in rpmb-core.c * Added an rpmb_mutex to serialize access to the IDA * Removed the target parameter from all rpmb_*() functions since it's currently unused Jens Wiklander (4): rpmb: add Replay Protected Memory Block (RPMB) subsystem mmc: block: register RPMB partition with the RPMB subsystem tee: add tee_device_set_dev_groups() optee: probe RPMB device using RPMB subsystem Documentation/ABI/testing/sysfs-class-tee | 15 ++ MAINTAINERS | 8 + drivers/misc/Kconfig | 10 + drivers/misc/Makefile | 1 + drivers/misc/rpmb-core.c | 232 +++++++++++++++++++++ drivers/mmc/core/block.c | 241 +++++++++++++++++++++- drivers/tee/optee/core.c | 96 ++++++++- drivers/tee/optee/device.c | 7 + drivers/tee/optee/ffa_abi.c | 14 ++ drivers/tee/optee/optee_ffa.h | 2 + drivers/tee/optee/optee_private.h | 26 ++- drivers/tee/optee/optee_rpc_cmd.h | 35 ++++ drivers/tee/optee/optee_smc.h | 2 + drivers/tee/optee/rpc.c | 177 ++++++++++++++++ drivers/tee/optee/smc_abi.c | 14 ++ drivers/tee/tee_core.c | 19 +- include/linux/rpmb.h | 123 +++++++++++ include/linux/tee_drv.h | 12 ++ 18 files changed, 1024 insertions(+), 10 deletions(-) create mode 100644 Documentation/ABI/testing/sysfs-class-tee create mode 100644 drivers/misc/rpmb-core.c create mode 100644 include/linux/rpmb.h -- 2.34.1

5 months, 2 weeks

6
27
0 0

[PATCH v6 0/5] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from the previous version [1][2]: ------------------------------------------ 1) Rework resource table management - Rework tee_rproc_parse_fw to temporary map the resource table address to create a cached_table (similar to what is done in rproc_elf_load_rsc_table()). - Rename tee_rproc_get_loaded_rsc_table to tee_rproc_find_loaded_rsc_table - Introduce rproc_pa_to_va() allowing to translate the resource table physical address to virtual address based on remoteproc carveouts. 2) Merge the 2 "st,stm32-rproc.yaml" bindings patch in one As the st,rproc-id" is linked to the introduction of the "st,stm32mp1-m4-tee" compatible, merge following patches to address Krzysztof concern. - [PATCH v5 2/7] dt-bindings: remoteproc: Add compatibility for TEE support - [PATCH v5 3/7] dt-bindings: remoteproc: Add processor identifier property More details on updates are listed in commits messages. [1] https://lore.kernel.org/lkml/Zlil4YSjHxb0FRgf@p14s/T/ [2] https://lore.kernel.org/lkml/20240521122458.3517054-1-arnaud.pouliquen@foss… base-commit: 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0 Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact.the user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (5): remoteproc: core: Introduce rproc_pa_to_va helper remoteproc: Add TEE support dt-bindings: remoteproc: Add compatibility for TEE support remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 ++- drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 74 ++- drivers/remoteproc/stm32_rproc.c | 147 ++++-- drivers/remoteproc/tee_remoteproc.c | 451 ++++++++++++++++++ include/linux/remoteproc.h | 7 + include/linux/tee_remoteproc.h | 99 ++++ 8 files changed, 801 insertions(+), 46 deletions(-) create mode 100644 drivers/remoteproc/tee_remoteproc.c create mode 100644 include/linux/tee_remoteproc.h base-commit: 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0 -- 2.25.1

5 months, 2 weeks

4
9
0 0

about Platforms supported

by 李涛

hi. could you pls tell me Which server manufacturer supports op-tee(and provide machine type)?thanks. litao(a)sursen.net

5 months, 2 weeks

2
1
0 0

[RESEND PATCH v5 0/7] Introduction of a remoteproc tee to load signed firmware

by Arnaud Pouliquen

Main updates from the previous version [1]: ------------------------------------------ 1) use proc->table_ptr as unique reference to point to the resource table --> update remoteproc_core.c to implement management of the resource table base on rproc->rproc->tee_interface new field: - on start get the resource table address from TEE remoteproc instead of finding it in firmware (ops choice to confirm) - on stop unmap the resource table before updating the proc->table_ptr pointer. 2) retrieve the TEE rproc Identifier from the device tree instead of hardcoding it --> Add a new "st,proc-id" property in device tree. More details on updates are listed in commits messages [1] https://lore.kernel.org/linux-arm-kernel/20240115135249.296822-1-arnaud.pou… base-commit: c8d8f841e95bcc07ac8c5621fc171a24f1fd5cdb Description of the feature: -------------------------- This series proposes the implementation of a remoteproc tee driver to communicate with a TEE trusted application responsible for authenticating and loading the remoteproc firmware image in an Arm secure context. 1) Principle: The remoteproc tee driver provides services to communicate with the OP-TEE trusted application running on the Trusted Execution Context (TEE). The trusted application in TEE manages the remote processor lifecycle: - authenticating and loading firmware images, - isolating and securing the remote processor memories, - supporting multi-firmware (e.g., TF-M + Zephyr on a Cortex-M33), - managing the start and stop of the firmware by the TEE. 2) Format of the signed image: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/src/remoteproc… 3) OP-TEE trusted application API: Refer to: https://github.com/OP-TEE/optee_os/blob/master/ta/remoteproc/include/ta_rem… 4) OP-TEE signature script Refer to: https://github.com/OP-TEE/optee_os/blob/master/scripts/sign_rproc_fw.py Example of usage: sign_rproc_fw.py --in <fw1.elf> --in <fw2.elf> --out <signed_fw.sign> --key ${OP-TEE_PATH}/keys/default.pem 5) Impact on User space Application No sysfs impact.the user only needs to provide the signed firmware image instead of the ELF image. For more information about the implementation, a presentation is available here (note that the format of the signed image has evolved between the presentation and the integration in OP-TEE). https://resources.linaro.org/en/resource/6c5bGvZwUAjX56fvxthxds Arnaud Pouliquen (7): remoteproc: Add TEE support dt-bindings: remoteproc: Add compatibility for TEE support dt-bindings: remoteproc: Add processor identifier property remoteproc: core introduce rproc_set_rsc_table_on_start function remoteproc: core: support of the tee interface remoteproc: stm32: Create sub-functions to request shutdown and release remoteproc: stm32: Add support of an OP-TEE TA to load the firmware .../bindings/remoteproc/st,stm32-rproc.yaml | 58 ++- drivers/remoteproc/Kconfig | 10 + drivers/remoteproc/Makefile | 1 + drivers/remoteproc/remoteproc_core.c | 135 +++--- drivers/remoteproc/stm32_rproc.c | 149 ++++-- drivers/remoteproc/tee_remoteproc.c | 429 ++++++++++++++++++ include/linux/remoteproc.h | 4 + include/linux/tee_remoteproc.h | 99 ++++ 8 files changed, 784 insertions(+), 101 deletions(-) create mode 100644 drivers/remoteproc/tee_remoteproc.c create mode 100644 include/linux/tee_remoteproc.h -- 2.25.1

5 months, 3 weeks

3
9
0 0

Re: [PATCH v3] optee: add timeout value to optee_notif_wait() to support timeout

by Sumit Garg

On Tue, 21 May 2024 at 14:16, Gavin Liu (劉哲廷) <Gavin.Liu(a)mediatek.com> wrote: > > Hi, Sumit, > > The corresponding OPTEE-OS pull request and change is here. > > https://github.com/OP-TEE/optee_os/pull/6641 As this is an ABI change where I see backwards compatibility is maintained. However, the forwards compatibility requires this change to be backported to stable releases. So for the next version please CC stable ML. > > On Mon, 2024-05-20 at 16:16 +0530, Sumit Garg wrote: > > > > External email : Please do not click links or open attachments until > > you have verified the sender or the content. > > Hi, > > > > On Tue, 7 May 2024 at 07:31, gavin.liu <gavin.liu(a)mediatek.com> > > wrote: > > > > > > From: Gavin Liu <gavin.liu(a)mediatek.com> > > > > > > Add timeout value to support self waking when timeout to avoid > > waiting > > > indefinitely. > > > > > > Signed-off-by: Gavin Liu <gavin.liu(a)mediatek.com> > > > --- > > > change in v3: > > > 1. change the comment in optee_rpc_cmd.h > > > 2. add macro for "TEE_ERROR_TIMEOUT" > > > 3. change from "TEEC_ERROR_BUSY" to "TEE_ERROR_TIMEOUT" > > > --- > > > drivers/tee/optee/notif.c | 9 +++++++-- > > > drivers/tee/optee/optee_private.h | 5 ++++- > > > drivers/tee/optee/optee_rpc_cmd.h | 1 + > > > drivers/tee/optee/rpc.c | 10 ++++++++-- > > > 4 files changed, 20 insertions(+), 5 deletions(-) > > > FWIW: Reviewed-by: Sumit Garg <sumit.garg(a)linaro.org> > > > > > diff --git a/drivers/tee/optee/notif.c b/drivers/tee/optee/notif.c > > > index 0d7878e770cd..1970880c796f 100644 > > > --- a/drivers/tee/optee/notif.c > > > +++ b/drivers/tee/optee/notif.c > > > @@ -29,7 +29,7 @@ static bool have_key(struct optee *optee, u_int > > key) > > > return false; > > > } > > > > > > -int optee_notif_wait(struct optee *optee, u_int key) > > > +int optee_notif_wait(struct optee *optee, u_int key, u32 timeout) > > > { > > > unsigned long flags; > > > struct notif_entry *entry; > > > @@ -70,7 +70,12 @@ int optee_notif_wait(struct optee *optee, u_int > > key) > > > * Unlock temporarily and wait for completion. > > > */ > > > spin_unlock_irqrestore(&optee->notif.lock, flags); > > > - wait_for_completion(&entry->c); > > > + if (timeout != 0) { > > > + if (!wait_for_completion_timeout(&entry->c, > > timeout)) > > > + rc = -ETIMEDOUT; > > > + } else { > > > + wait_for_completion(&entry->c); > > > + } > > > spin_lock_irqsave(&optee->notif.lock, flags); > > > > > > list_del(&entry->link); > > > diff --git a/drivers/tee/optee/optee_private.h > > b/drivers/tee/optee/optee_private.h > > > index 429cc20be5cc..424898cdc4e9 100644 > > > --- a/drivers/tee/optee/optee_private.h > > > +++ b/drivers/tee/optee/optee_private.h > > > @@ -26,6 +26,9 @@ > > > #define TEEC_ERROR_BUSY 0xFFFF000D > > > #define TEEC_ERROR_SHORT_BUFFER 0xFFFF0010 > > > > > > +/* API Return Codes are from the GP TEE Internal Core API > > Specification */ > > > +#define TEE_ERROR_TIMEOUT 0xFFFF3001 > > > + > > > #define TEEC_ORIGIN_COMMS 0x00000002 > > > > > > /* > > > @@ -252,7 +255,7 @@ struct optee_call_ctx { > > > > > > int optee_notif_init(struct optee *optee, u_int max_key); > > > void optee_notif_uninit(struct optee *optee); > > > -int optee_notif_wait(struct optee *optee, u_int key); > > > +int optee_notif_wait(struct optee *optee, u_int key, u32 timeout); > > > int optee_notif_send(struct optee *optee, u_int key); > > > > > > u32 optee_supp_thrd_req(struct tee_context *ctx, u32 func, size_t > > num_params, > > > diff --git a/drivers/tee/optee/optee_rpc_cmd.h > > b/drivers/tee/optee/optee_rpc_cmd.h > > > index f3f06e0994a7..4576751b490c 100644 > > > --- a/drivers/tee/optee/optee_rpc_cmd.h > > > +++ b/drivers/tee/optee/optee_rpc_cmd.h > > > @@ -41,6 +41,7 @@ > > > * Waiting on notification > > > * [in] value[0].a OPTEE_RPC_NOTIFICATION_WAIT > > > * [in] value[0].b notification value > > > + * [in] value[0].c timeout in milliseconds or 0 if no > > timeout > > > * > > > * Sending a synchronous notification > > > * [in] value[0].a OPTEE_RPC_NOTIFICATION_SEND > > > diff --git a/drivers/tee/optee/rpc.c b/drivers/tee/optee/rpc.c > > > index f086812f1179..5de4504665be 100644 > > > --- a/drivers/tee/optee/rpc.c > > > +++ b/drivers/tee/optee/rpc.c > > > @@ -130,6 +130,8 @@ static void > > handle_rpc_func_cmd_i2c_transfer(struct tee_context *ctx, > > > static void handle_rpc_func_cmd_wq(struct optee *optee, > > > struct optee_msg_arg *arg) > > > { > > > + int rc = 0; > > > + > > > if (arg->num_params != 1) > > > goto bad; > > > > > > @@ -139,7 +141,8 @@ static void handle_rpc_func_cmd_wq(struct optee > > *optee, > > > > > > switch (arg->params[0].u.value.a) { > > > case OPTEE_RPC_NOTIFICATION_WAIT: > > > - if (optee_notif_wait(optee, arg- > > >params[0].u.value.b)) > > > + rc = optee_notif_wait(optee, arg- > > >params[0].u.value.b, arg->params[0].u.value.c); > > > + if (rc) > > > goto bad; > > > break; > > > case OPTEE_RPC_NOTIFICATION_SEND: > > > @@ -153,7 +156,10 @@ static void handle_rpc_func_cmd_wq(struct > > optee *optee, > > > arg->ret = TEEC_SUCCESS; > > > return; > > > bad: > > > - arg->ret = TEEC_ERROR_BAD_PARAMETERS; > > > + if (rc == -ETIMEDOUT) > > > + arg->ret = TEE_ERROR_TIMEOUT; > > > + else > > > + arg->ret = TEEC_ERROR_BAD_PARAMETERS; > > > } > > > > > > static void handle_rpc_func_cmd_wait(struct optee_msg_arg *arg) > > > -- > > > 2.18.0 > > Regards, > Gavin Liu > > > > > ************* MEDIATEK Confidentiality Notice ******************** > The information contained in this e-mail message (including any > attachments) may be confidential, proprietary, privileged, or otherwise > exempt from disclosure under applicable laws. It is intended to be > conveyed only to the designated recipient(s). Any use, dissemination, > distribution, printing, retaining or copying of this e-mail (including its > attachments) by unintended recipient(s) is strictly prohibited and may > be unlawful. If you are not an intended recipient of this e-mail, or believe > that you have received this e-mail in error, please notify the sender > immediately (by replying to this e-mail), delete any and all copies of > this e-mail (including any attachments) from your system, and do not > disclose the content of this e-mail to any other person. Thank you! This text is not meant for public mailing lists. So please work with your IT team to allow you to post to public mailing lists without this text. -Sumit

5 months, 3 weeks

2
1
0 0

Build failing with vexpress/juno+mbedtls

by Jacob Kroon

Hi, When building master as of today with: make PLATFORM=vexpress PLATFORM_FLAVOR=juno CFG_CRYPTOLIB_NAME=mbedtls CFG_CRYPTOLIB_DIR=lib/libmbedtls I get the following build failure: core/lib/libtomcrypt/aes_accel.c: In function ‘aes_ctr_encrypt_nblocks’: core/lib/libtomcrypt/aes_accel.c:182:21: error: ‘CTR_COUNTER_LITTLE_ENDIAN’ undeclared (first use in this function) 182 | if (mode == CTR_COUNTER_LITTLE_ENDIAN) { I can fix the build with: diff --git a/core/lib/libtomcrypt/src/headers/tomcrypt_cipher.h b/core/lib/libtomcrypt/src/headers/tomcrypt_cipher.h index aa94698de..760aa70e1 100644 --- a/core/lib/libtomcrypt/src/headers/tomcrypt_cipher.h +++ b/core/lib/libtomcrypt/src/headers/tomcrypt_cipher.h @@ -925,12 +925,12 @@ int cbc_setiv(const unsigned char *IV, unsigned long len, symmetric_CBC *cbc); int cbc_done(symmetric_CBC *cbc); #endif -#ifdef LTC_CTR_MODE - #define CTR_COUNTER_LITTLE_ENDIAN 0x0000 #define CTR_COUNTER_BIG_ENDIAN 0x1000 #define LTC_CTR_RFC3686 0x2000 +#ifdef LTC_CTR_MODE + int ctr_start( int cipher, const unsigned char *IV, const unsigned char *key, int keylen, ------------------ Does this look like a proper fix ? If so, can I send patches to the mailing list, or do I need to go via a github pull-request ? Regards Jacob

5 months, 4 weeks

3
3
0 0

Linaro OP-TEE Contribution, LOC, monthly meeting May 28

by Jens Wiklander

Tomorrow (Tuesday), it's time for another LOC monthly meeting. For time and connection details see the calendar at https://www.trustedfirmware.org/meetings/ We discussed fTPM last time with some actions (see notes at http://bit.ly/loc-notes): - Linaro to talk to members etc - Jan to continue discussions internally Any other topics? Cheers, Jens

6 months

1
0
0 0

2024

2023

2022

2021

2020

OP-TEE