-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MMU: Simplify tee_mmu_switch function #40
Conversation
dsb /* ARM erratum 754322 */ | ||
mov r2, #0 | ||
mcr p15, 0, r2, c13, c0, 1 | ||
write_context_id r2 /* Clear the CONTEXTIDR register */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no clue why we need to write a zero to the context id, when we're just a few lines below writing again, but with the value from the function arguments. I talked briefly about this with Jens, who said that that might be a necessary step when doing the switch. I have tried to find information about it, but failed to find anything. If anyone of you know if and why that is needed, please let me know.
+1 |
+1 |
Just rebase on top of master so to merge |
Replaced direct CP15 instructions with macros instead and removed some unnecessary code.
ff9cac0
to
31cf38e
Compare
Patch has been rebased on top of master. |
Fix checkpatch warning: WARNING: MAINTAINERS entries use one tab after TYPE: OP-TEE#40: FILE: MAINTAINERS:146: +R: Etienne Carriere <etienne.carriere@linaro.org> [@etienne-lms] Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
…:optee_os_3.8.0 to optee_os_3.8.0 * commit '0b362b6c821b33c4902de0cbc163934cbc2d06ae': plat-ls: conf: enable CFG_EMBED_DT by default with DTB SOURCE for LX2160A-RDB & LX2160A-QDS
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall OP-TEE#40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 Function ftmn_set_check_res_memcmp() is currently used on the verification of RSA hash. When CFG_FAULT_MITIGATION flag is enabled, ftmn.check.res is set with the return value of the hash comparison. This can be 0, when hash matches, or another number, positive or negativen, when hash does not match. For fault mitigation purposes, the value stored on ftmn.check.res is later compared with the result of the signature comparison, which can assume only two values : 1==valid or 0==invalid. With that, ftmn_set_check_res_memcmp() should set ftmn.check.res either with 0, when hash matches, or with 1, when hash does not match. Fix ___ftmn_set_check_res_memcmp() to have this behavior. Note that, the fault mitigation check is done bewteen ftmn.check.res and !*stat. Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com>
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall OP-TEE#40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 Function ftmn_set_check_res_memcmp() is currently used on the verification of RSA hash. When CFG_FAULT_MITIGATION flag is enabled, ftmn.check.res is set with the return value of the hash comparison. This can be 0, when hash matches, or another number, positive or negativen, when hash does not match. For fault mitigation purposes, the value stored on ftmn.check.res is later compared with the result of the signature comparison, which can assume only two values : 1==valid or 0==invalid. With that, ftmn_set_check_res_memcmp() should set ftmn.check.res either with 0, when hash matches, or with 1, when hash does not match. Fix ___ftmn_set_check_res_memcmp() to have this behavior. Note that, the fault mitigation check is done between ftmn.check.res and !*stat. Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com>
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall OP-TEE#40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp() is used on the verification of RSA hash. ftmn.check.res is set with the return value of the hash comparison. Since memcmp() is used, this can be 0, when hash matches, or any non-zero number when hash does not match. However, the value stored on ftmn.check.res is later compared with the result of the signature comparison (!*stat), which can assume only two values, 1==valid or 0==invalid. With that, when ftmn_set_check_res_memcmp() returns any non-zero number, force ftmn.check.res to 1 so that it matches the check with later FTMN_CALLEE_DONE_CHECK(). Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall OP-TEE#40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp() is used on the verification of RSA hash. ftmn.check.res is set with the return value of the hash comparison. Since memcmp() is used, this can be 0, when hash matches, or any non-zero number when hash does not match. However, the value stored on ftmn.check.res is later compared with the result of the signature comparison (!*stat), which can assume only two values, 1==valid or 0==invalid. With that, when ftmn_set_check_res_memcmp() returns any non-zero number, force ftmn.check.res to 1 so that it matches the check with later FTMN_CALLEE_DONE_CHECK(). Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall OP-TEE#40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp() is used on the verification of RSA hash. ftmn.check.res is set with the return value of the hash comparison. Since memcmp() is used, this can be 0, when hash matches, or any non-zero number when hash does not match. However, the value stored on ftmn.check.res is later compared with the result of the signature comparison (!*stat), which can assume only two values, 1==valid or 0==invalid. With that, when ftmn_set_check_res_memcmp() returns any non-zero number, force ftmn.check.res to 1 so that it matches the check with later FTMN_CALLEE_DONE_CHECK(). Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall #40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp() is used on the verification of RSA hash. ftmn.check.res is set with the return value of the hash comparison. Since memcmp() is used, this can be 0, when hash matches, or any non-zero number when hash does not match. However, the value stored on ftmn.check.res is later compared with the result of the signature comparison (!*stat), which can assume only two values, 1==valid or 0==invalid. With that, when ftmn_set_check_res_memcmp() returns any non-zero number, force ftmn.check.res to 1 so that it matches the check with later FTMN_CALLEE_DONE_CHECK(). Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall OP-TEE#40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp() is used on the verification of RSA hash. ftmn.check.res is set with the return value of the hash comparison. Since memcmp() is used, this can be 0, when hash matches, or any non-zero number when hash does not match. However, the value stored on ftmn.check.res is later compared with the result of the signature comparison (!*stat), which can assume only two values, 1==valid or 0==invalid. With that, when ftmn_set_check_res_memcmp() returns any non-zero number, force ftmn.check.res to 1 so that it matches the check with later FTMN_CALLEE_DONE_CHECK(). Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall OP-TEE#40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp() is used on the verification of RSA hash. ftmn.check.res is set with the return value of the hash comparison. Since memcmp() is used, this can be 0, when hash matches, or any non-zero number when hash does not match. However, the value stored on ftmn.check.res is later compared with the result of the signature comparison (!*stat), which can assume only two values, 1==valid or 0==invalid. With that, when ftmn_set_check_res_memcmp() returns any non-zero number, force ftmn.check.res to 1 so that it matches the check with later FTMN_CALLEE_DONE_CHECK(). Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
When running a test with CFG_FAULT_MITIGATION=y and with a corrupted message, hash verification fails and panic TEE core: F/TC:? 0 trace_syscall:149 syscall OP-TEE#40 (syscall_asymm_verify) E/TC:2 0 Panic at lib/libutils/ext/fault_mitigation.c:87 <___ftmn_callee_done_check> E/TC:2 0 TEE load address @ 0x43200000 E/TC:2 0 Call stack: E/TC:2 0 0x4320a9f0 print_kernel_stack at optee-os/core/arch/arm/kernel/unwind_arm64.c:91 E/TC:2 0 0x432203fc __do_panic at optee-os/core/kernel/panic.c:26 (discriminator 32) E/TC:2 0 0x4327d324 ___ftmn_callee_done_check at optee-os/lib/libutils/ext/fault_mitigation.c:87 E/TC:2 0 0x43263aac __ftmn_callee_done_check at optee-os/lib/libutils/ext/include/fault_mitigation.h:349 E/TC:2 0 0x43258408 sw_crypto_acipher_rsassa_verify at optee-os/core/lib/libtomcrypt/rsa.c:669 E/TC:2 0 0x43247ecc syscall_asymm_verify at optee-os/core/tee/tee_svc_cryp.c:4420 E/TC:2 0 0x43206d18 scall_do_call at optee-os/core/arch/arm/kernel/arch_scall_a64.S:140 E/TC:2 0 0x43206798 thread_scall_handler at optee-os/core/arch/arm/kernel/thread.c:1115 E/TC:2 0 0x432043e8 el0_svc at optee-os/core/arch/arm/kernel/thread_a64.S:850 When CFG_FAULT_MITIGATION flag is enabled, ftmn_set_check_res_memcmp() is used on the verification of RSA hash. ftmn.check.res is set with the return value of the hash comparison. Since memcmp() is used, this can be 0, when hash matches, or any non-zero number when hash does not match. However, the value stored on ftmn.check.res is later compared with the result of the signature comparison (!*stat), which can assume only two values, 1==valid or 0==invalid. With that, when ftmn_set_check_res_memcmp() returns any non-zero number, force ftmn.check.res to 1 so that it matches the check with later FTMN_CALLEE_DONE_CHECK(). Signed-off-by: Felix Freimann <felix.freimann@mediatek.com> Signed-off-by: Vitor Sato Eschholz <vsatoes@baylibre.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Replaced direct CP15 instructions with macros instead and removed some
unnecessary code.