| Age | Commit message (Collapse) | Author |
|---|
|
As exposed by "make randconfig", we have an issue with the dependencies
for BOOTM_OPTEE. This symbol needs to select BOOTM_LINUX and in turn
depend on the library symbols that have to be enabled for BOOTM_LINUX to
be valid (LIB_BOOTI, LIB_BOOTM and LIB_BOOTZ).
Reviewed-by: Marek Vasut <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
reserved-memory nodes
I've spent time trying to figure out why my board (Rockchip PX30-based)
suddenly boot loops when running a specific program in Linux userspace
after working on a U-Boot upgrade. I actually inadvertently had the TEE
environment variable set for a device which doesn't actually need to run
any TEE OS (so had OPTEE_LIB disabled).
It is currently possible to build an image with an OP-TEE OS (via the
TEE environment variable) without OPTEE_LIB. U-Boot will happily load
the TEE OS and the next OS (e.g. the Linux kernel).
This is an issue because on FDT-enabled devices, OP-TEE OS adds nodes to
the reserved-memory FDT node for the memory regions it just reserved for
itself. This updated FDT is then passed to U-Boot proper which should
know better not to use memory from there. The actual issue is that
without OPTEE_LIB and OF_LIBFDT enabled, U-Boot proper will not copy
those nodes over to the next OS's FDT before starting it. This results
in the next OS's (e.g. Linux kernel) to not be aware of reserved memory,
incurring random crashes or device reboots when it tries to access
secure reserved memory area.
On Rockchip, the U-Boot FIT image which contains both the TEE OS and
U-Boot proper is generated by binman. Unfortunately, binman doesn't seem
to have access to Kconfig symbols (grep CONFIG_ doesn't return anything
meaningful and binman is either configured through FDT nodes or via CLI
arguments, c.f. cmd_binman in the root Makefile) so we cannot try to be
smart and guide the user to the correct Kconfig option to select if TEE
is set. We could add a property based on the presence of OPTEE_LIB in
rockchip-u-boot.dtsi for example and have a custom message based on
that, the issue is that I assume all FDT-based platforms do actually
need to do this dance, and not only Rockchip.
Another option could be to add a CLI argument to binman through which
we would pass the state of OPTEE_LIB and error out the build in that
case, but that feels like opening the door to other various dirty hacks.
Another option is to propagate the TEE environment variable to the
preprocessor of the FDT (via dtc_cpp_flags) and then we can do
#if defined(TEE) && !IS_ENABLED(CONFIG_OPTEE_LIB)
#error "CONFIG_OPTEE_LIB must be enabled!"
#endif
but we have the same issue as above, it is then Rockchip-specific and
doesn't feel right to me.
Yet another option is to remove the @tee-SEQ node from the binman FIT
description when OPTEE_LIB isn't set but then we would lose the
following nice message when no TEE is provided:
Image 'simple-bin' is missing optional external blobs but is still functional: tee-os
and even worse, build without any TEE OS even though we could provide
one via the TEE environment variable.
Finally, another option could be to move this hack under
arch/arm/mach-rockchip/Kconfig to make it Rockchip-specific or add a
depends on ARCH_ROCKCHIP. However OP-TEE OS on Aarch32 Rockchip boards
doesn't actually need any of that if SPL_OPTEE_IMAGE is set because
arch/arm/mach-rockchip/sdram.c then marks some hardcoded memory regions
in RAM as holes in DRAM, which has the same effect as reserved memory
regions I guess. I assume other platforms may use something different,
so it may be casting too wide of a net.
This commit is what I could come up with as a stopgap measure to avoid
building images that simply cannot reliably work and fail randomly.
Signed-off-by: Quentin Schulz <[email protected]>
|
|
Signed-off-by: Jan Kiszka <[email protected]>
|
|
After some header file cleanups to add missing include files, remove
common.h from all files in the lib directory. This primarily means just
dropping the line but in a few cases we need to add in other header
files now.
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
This reverts commit c5b68ef8af3c2f515c1f5b8d63a69359a85d753b.
CONFIG_OPTEE_TZDRAM_SIZE is used by imx6-based SoCs as well. Move the
option back.
Signed-off-by: Ricardo Salveti <[email protected]>
Signed-off-by: Oleksandr Suvorov <[email protected]>
|
|
Reserved memory nodes can have additional flags. Support reading and
writing these flags to ensure that reserved memory nodes can be properly
parsed and emitted.
This converts support for the existing "no-map" flag to avoid extending
the argument list for fdtdec_add_reserved_memory() to excessive length.
Signed-off-by: Thierry Reding <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Tom Warren <[email protected]>
|
|
Reserved memory nodes can have a compatible string list to identify the
type of reserved memory that they represent. Support specifying an
optional compatible string list when creating these nodes.
Signed-off-by: Thierry Reding <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
Signed-off-by: Tom Warren <[email protected]>
|
|
This config is only used by three boards with this SOC. Most other
platforms derive this information from devicetree, and are unlikely
to ever need this config.
Moreover, it is confusing when Kconfig asks for this value under
"Support OPTEE images", but does not do anything with the value.
Move it to imx7 for those boards who still make use of it.
Signed-off-by: Alexandru Gagniuc <[email protected]>
|
|
This value is not used by u-boot, and it should not. The load address
of an OPTEE image is defined by said image. Either a uImage or a FIT
will have a defined load address and entry point. Those values are the
correct ones, not CONFIG_OPTEE_LOAD_ADDR.
Commit f25006b96e9f ("optee: Add CONFIG_OPTEE_LOAD_ADDR") justifies
this config by requiring its presence in u-boot's .config for other
images as part of a larger build, claiming it is "the best way".
This argument is not persuasive. U-boot's configuration is driven by
platform requirements, not the other way around. It seems more likely
that the argument is conflating tooling issues with Kconfig. Yocto and
buildroot have excellent mechanisms for defining values across the
board (pun intended). u-boot's Kconfig is the wrong place to do it.
Furthermore, it is not "best" for u-boot because it hardcodes a value
which is then not used. In fact the load address that u-boot uses is
the one derived from the OPTEE image.
Confused yet? I sure was. To prevent future confusion, remove
CONFIG_OPTEE_LOAD_ADDR.
Signed-off-by: Alexandru Gagniuc <[email protected]>
|
|
It is no longer used in u-boot. Information about the TZDRAM location
is usually available in the devicetree as "/reserved-memory/" nodes.
Because this isn't used, remove it.
Signed-off-by: Alexandru Gagniuc <[email protected]>
|
|
The configs TZDRAM_BASE and TZDRAM_SIZE are expected to describe the
memory allocated to the OPTEE region. according to according to commit
c5a6e8bd00cc ("optee: Add optee_verify_bootm_image()"). The TZDRAM is
with some limitations, described by "/reserved-memory" nodes in the
devicetree.
Consequently TZDRAM_BASE and TZDRAM_SIZE can point to imaginary
regions which have nothing to do with actual DRAM. They are not used
to configure the hardware or set up the Trust Zone Controller (TZC)
for OP-TEE -- the devicetree values are used instead.
When a valid OP-TEE image does not fall within the region described by
these configs, u-boot will refuse to load it. In fact, it mostly
serves to cause "bootm" to reject perfectly good OP-TEE images.
Ironically, someone has to correctly configure the devicetree for
TZDRAM, then go back and enter the same information in Kconfig for
"bootm". To remedy this, do not use TZDRAM_BASE and TZDRAM_SIZE in the
verification of OPTEE images.
Signed-off-by: Alexandru Gagniuc <[email protected]>
|
|
The configuration CONFIG_OPTEE is defined 2 times:
1- in lib/optee/Kconfig for support of OPTEE images loaded by bootm command
2- in drivers/tee/optee/Kconfig for support of OP-TEE driver.
It is abnormal to have the same CONFIG define for 2 purpose;
and it is difficult to managed correctly their dependencies.
Moreover CONFIG_SPL_OPTEE is defined in common/spl/Kconfig
to manage OPTEE image load in SPL.
This definition causes an issue with the macro CONFIG_IS_ENABLED(OPTEE)
to test the availability of the OP-TEE driver.
This patch cleans the configuration dependency with:
- CONFIG_OPTEE_IMAGE (renamed) => support of OP-TEE image in U-Boot
- CONFIG_SPL_OPTEE_IMAGE (renamed) => support of OP-TEE image in SPL
- CONFIG_OPTEE (same) => support of OP-TEE driver in U-Boot
- CONFIG_OPTEE_LIB (new) => support of OP-TEE library
After this patch, the macro have the correct behavior:
- CONFIG_IS_ENABLED(OPTEE_IMAGE) => Load of OP-TEE image is supported
- CONFIG_IS_ENABLED(OPTEE) => OP-TEE driver is supported
Signed-off-by: Patrick Delaunay <[email protected]>
|
|
default n/no doesn't need to be specified. It is default option anyway.
Signed-off-by: Michal Simek <[email protected]>
[trini: Rework FSP_USE_UPD portion]
Signed-off-by: Tom Rini <[email protected]>
|
|
The optee_copy_fdt_nodes is only used to copy op-tee nodes
of U-Boot device tree (from gd->fdt_blob when OF_LIVE is not activated)
to external device tree but it is not compatible with OF_LIVE.
This patch migrates all used function fdt_ functions to read node on
old_blob to ofnode functions, compatible with OF_LIVE and remove this
parameter "old_blob".
The generated "device tree" is checked on stm32mp platform with OF_LIVE
activated.
Signed-off-by: Patrick Delaunay <[email protected]>
|
|
Move this out of the common header and include it only where needed. In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly. Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.
Signed-off-by: Simon Glass <[email protected]>
Signed-off-by: Tom Rini <[email protected]>
|
|
OP-TEE reserved memory node must set property "no-map" to prevent
Linux kernel from mapping secure memory unless what non-secure world
speculative accesses of the CPU can violate the memory firmware
configuration.
Fixes: 6ccb05eae01b ("image: fdt: copy possible optee nodes to a loaded devicetree")
Signed-off-by: Etienne Carriere <[email protected]>
Signed-off-by: Patrice Chotard <[email protected]>
|
|
Add boolean input argument @no_map to helper function
fdtdec_add_reserved_memory() to add or not "no-map" property
for an added reserved memory node.
Property no-map is used by the Linux kernel to not not map memory
in its static memory mapping. It is needed for example for the|
consistency of system non-cached memory and to prevent speculative
accesses to some firewalled memory.
No functional change. A later change will update to OPTEE library to
add no-map property to OP-TEE reserved memory nodes.
Signed-off-by: Etienne Carriere <[email protected]>
Signed-off-by: Patrice Chotard <[email protected]>
Reviewed-by: Simon Glass <[email protected]>
|
|
Fix the loop that parses FDT for a reserved memory node named "optee".
Before this change, if at least one subnode was found in the
reserved-memory node, the function endlessly looped since instruction
continue returned back in the loop without updating variable subnode.
This change fixes the issue by using a for loop.
Fixes: 6ccb05eae01b ("image: fdt: copy possible optee nodes to a loaded devicetree")
Signed-off-by: Etienne Carriere <[email protected]>
Signed-off-by: Patrick Delaunay <[email protected]>
|
|
Move this header out of the common header.
Signed-off-by: Simon Glass <[email protected]>
|
|
As hinted by GCC 9, there is a return statement that returns
an uninitialized variable in optee_copy_firmware_node().
This patch addresses this.
Signed-off-by: Christoph Müllner <[email protected]>
Reviewed-by: Heiko Stuebner <[email protected]>
|
|
These three globals relate to image handling. Move them to the image
header file.
Signed-off-by: Simon Glass <[email protected]>
|
|
The loading convention for optee or any other tee on arm64 is as bl32
parameter to the trusted-firmware. So TF-A gets invoked with the TEE as
bl32 and main u-boot as bl33. Once it has done its startup TF-A jumps
into the bl32 for the TEE startup, returns to TF-A and then jumps to bl33.
All of them get passed a devicetree as parameter and all components often
get loaded from a FIT image.
OP-TEE will create additional nodes in that devicetree namely a firmware
node and possibly multiple reserved-memory nodes.
While this devicetree is used in main u-boot, in most cases it won't be
the one passed to the actual kernel. Instead most boot commands will load
a new devicetree from somewhere like mass storage of the network, so if
that happens u-boot should transfer the optee nodes to that new devicetree.
To make that happen introduce optee_copy_fdt_nodes() called from the dt
setup function in image-fdt which after checking for the optee presence
in the u-boot dt will make sure a optee node is present in the kernel dt
and transfer any reserved-memory regions it can find.
Signed-off-by: Heiko Stuebner <[email protected]>
Reviewed-by: Jens Wiklander <[email protected]>
|
|
Commit c7b3a7ee5351 ("optee: adjust dependencies and default values for
dram") makes the TZDRAM defines for OPTEE show up for all configs as a
side-effect. While not harmful its not what we really want.
This patch makes the following defines contingent on CONFIG_OPTEE=y
CONFIG_OPTEE_TZDRAM_BASE
CONFIG_OPTEE_TZDRAM_SIZE
Rightly, if you don't have CONFIG_OPTEE=y you don't care about the above
two defines.
Signed-off-by: Bryan O'Donoghue <[email protected]>
Cc: Rui Miguel Silva <[email protected]>
Acked-by: Rui Miguel Silva <[email protected]>
|
|
We may have, the not yet considered, scenario where OPTEE is loaded before
u-boot and *not* by u-boot, e.g, the boot flow using the ARM Trusted
Firmware (ATF), where in the 32bit flow is:
BootRom->ATF(BL2)->Optee(BL32)->u-boot(BL33)
In this case we need still to reserve the memory used by optee, to avoid
for example to realocate ourself to the same address at the end of DRAM.
So, we change here the dependencies on the OPTEE lib and we set the default
size and base of TZRAM to zero.
Signed-off-by: Rui Miguel Silva <[email protected]>
Signed-off-by: Bryan O'Donoghue <[email protected]>
Cc: Fabio Estevam <[email protected]>
Cc: Ryan Harkin <[email protected]>
Cc: [email protected]
|
|
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <[email protected]>
|
|
This patch makes it possible to verify the contents and location of an
OPTEE image in DRAM prior to handing off control to that image. If image
verification fails we won't try to boot any further.
Signed-off-by: Bryan O'Donoghue <[email protected]>
Suggested-by: Andrew F. Davis <[email protected]>
Cc: Harinarayan Bhatta <[email protected]>
Cc: Andrew F. Davis <[email protected]>
Cc: Tom Rini <[email protected]>
Cc: Kever Yang <[email protected]>
Cc: Philipp Tomsich <[email protected]>
Cc: Peng Fan <[email protected]>
|
|
When encountering an error in OPTEE verification print out various details
of the OPTEE header to aid in further debugging of encountered errors.
Signed-off-by: Bryan O'Donoghue <[email protected]>
Cc: Harinarayan Bhatta <[email protected]>
Cc: Andrew F. Davis <[email protected]>
Cc: Tom Rini <[email protected]>
Cc: Kever Yang <[email protected]>
Cc: Philipp Tomsich <[email protected]>
Cc: Peng Fan <[email protected]>
Tested-by: Peng Fan <[email protected]>
|
|
This patch adds optee_verify_bootm_image() which will be subsequently used
to verify the parameters encoded in the OPTEE header match the memory
allocated to the OPTEE region, OPTEE header magic and version prior to
handing off control to the OPTEE image.
Signed-off-by: Bryan O'Donoghue <[email protected]>
Cc: Harinarayan Bhatta <[email protected]>
Cc: Andrew F. Davis <[email protected]>
Cc: Tom Rini <[email protected]>
Cc: Kever Yang <[email protected]>
Cc: Philipp Tomsich <[email protected]>
Cc: Peng Fan <[email protected]>
|
|
CONFIG_OPTEE_LOAD_ADDR is used to tell u-boot where to load the OPTEE
binary into memory prior to handing off control to OPTEE.
We need to pull this value out of u-boot in order to produce an IMX IVT/CSF
signed pair for the purposes of secure boot. The best way to do that is to
have CONFIG_OPTEE_LOAD_ADDR appear in u-boot.cfg.
Adding new CONFIG entires to u-boot should be kconfig driven so this patch
does just that.
Signed-off-by: Bryan O'Donoghue <[email protected]>
Reviewed-by: Ryan Harkin <[email protected]>
|
|
OPTEE is currently linked to a specific area of memory called the TrustZone
DRAM. This patch adds a CONFIG entry for the default address of TrustZone
DRAM that a board-port can over-ride. The region that U-Boot sets aside for
the OPTEE run-time should be verified before attempting to hand off to the
OPTEE run-time. Each board-port should carefully ensure that the TZDRAM
address specified in the OPTEE build and the TZDRAM address specified in
U-Boot match-up.
Further patches will use TZDRAM address with other defines and variables to
carry out a degree of automated verification in U-Boot prior to trying to
boot an OPTEE image.
Signed-off-by: Bryan O'Donoghue <[email protected]>
Cc: Harinarayan Bhatta <[email protected]>
Cc: Andrew F. Davis <[email protected]>
Cc: Tom Rini <[email protected]>
Cc: Kever Yang <[email protected]>
Cc: Philipp Tomsich <[email protected]>
|
|
OPTEE is currently linked to a specific area of memory called the TrustZone
DRAM. This patch adds a CONFIG entry for the default size of TrustZone DRAM
that a board-port can over-ride. The region that U-Boot sets aside for the
OPTEE run-time should be verified before attempting to hand off to the
OPTEE run-time. Each board-port should carefully ensure that the TZDRAM
size specified in the OPTEE build and the TZDRAM size specified in U-Boot
match-up.
Further patches will use TZDRAM size with other defines and variables to
carry out a degree of automated verification in U-Boot prior to trying to
boot an OPTEE image.
Signed-off-by: Bryan O'Donoghue <[email protected]>
Cc: Harinarayan Bhatta <[email protected]>
Cc: Andrew F. Davis <[email protected]>
Cc: Tom Rini <[email protected]>
Cc: Kever Yang <[email protected]>
Cc: Philipp Tomsich <[email protected]>
Cc: Peng Fan <[email protected]>
Tested-by: Peng Fan <[email protected]>
|
|
This patch adds code to lib to enable sharing of useful OPTEE code between
board-ports and architectures. The code on lib/optee/optee.c comes from the
TI omap2 port. Eventually the OMAP2 code will be patched to include the
shared code. The intention here is to add more useful OPTEE specific code
as more functionality gets added.
Signed-off-by: Bryan O'Donoghue <[email protected]>
Cc: Harinarayan Bhatta <[email protected]>
Cc: Andrew F. Davis <[email protected]>
Cc: Tom Rini <[email protected]>
Cc: Kever Yang <[email protected]>
Cc: Philipp Tomsich <[email protected]>
Cc: Peng Fan <[email protected]>
Tested-by: Peng Fan <[email protected]>
|
