1. 12 Oct, 2020 1 commit
    • Alexei Fedorov's avatar
      TF-A: Add HASH_ALG default value to defaults.mk · ae3cf1ff
      Alexei Fedorov authored
      
      
      This patch adds default value of 'sha256' for HASH_ALG
      build flag to 'make_helpers\defaults.mk', according to
      'docs\getting_started\build-options.rst'.
      This fixes Measured Boot driver error when TF-A uses
      default HASH_ALG value and TPM_HASH_ALG is set to
      sha384 or sha512.
      
      Change-Id: Id0aa34b54807de0adaf88e5f7d7032577c22f365
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      ae3cf1ff
  2. 14 Sep, 2020 2 commits
  3. 10 Sep, 2020 1 commit
  4. 17 Aug, 2020 1 commit
  5. 12 Aug, 2020 1 commit
    • Manish Pandey's avatar
      cert_create: add Platform owned secure partitions support · 23d5f03a
      Manish Pandey authored
      
      
      Add support to generate a certificate named "plat-sp-cert" for Secure
      Partitions(SP) owned by Platform.
      Earlier a single certificate file "sip-sp-cert" was generated which
      contained hash of all 8 SPs, with this change SPs are divided into
      two categories viz "SiP owned" and "Plat owned" containing 4 SPs each.
      
      Platform RoT key pair is used for signing.
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      Change-Id: I5bd493cfce4cf3fc14b87c8ed1045f633d0c92b6
      23d5f03a
  6. 30 Jul, 2020 1 commit
    • Manish V Badarkhe's avatar
      Makefile, doc: Make OPENSSL_DIR variable as build option for tools · 582e4e7b
      Manish V Badarkhe authored
      
      
      Openssl directory path is hardcoded to '/usr' in the makefile
      of certificate generation and firmware encryption tool using
      'OPENSSL_DIR' variable.
      
      Hence changes are done to make 'OPENSSL_DIR' variable as
      a build option so that user can provide openssl directory
      path while building the certificate generation and firmware
      encryption tool.
      
      Also, updated the document for this newly created build option
      
      Change-Id: Ib1538370d2c59263417f5db3746d1087ee1c1339
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      582e4e7b
  7. 09 Jul, 2020 1 commit
  8. 12 Jun, 2020 1 commit
  9. 09 Jun, 2020 1 commit
  10. 08 Jun, 2020 1 commit
    • Manish Pandey's avatar
      cert_create: add SiP owned secure partitions support · 0792dd7d
      Manish Pandey authored
      
      
      Add support to generate certificate "sip-sp-cert" for Secure
      Partitions(SP) owned by Silicon provider(SiP).
      To avoid deviation from TBBR specification the support is only added for
      dualroot CoT and not for TBBR CoT.
      
      A single certificate file is generated containing hash of individual
      packages. Maximum 8 secure partitions are supported.
      
      Following new options added to cert_tool:
       --sip-sp-cert --> SiP owned Secure Partition Content Certificate
       --sp-pkg1 --> Secure Partition Package1 file
       --sp-pkg2
       .....
       --sp-pkg8
      
      Trusted world key pair is used for signing.
      
      Going forward, this feature can be extended for Platfrom owned
      Partitions, if required.
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      Change-Id: Ia6dfbc1447cfb41b1fcbd12cf2bf7b88f409bd8d
      0792dd7d
  11. 15 May, 2020 1 commit
  12. 14 May, 2020 1 commit
    • Manish V Badarkhe's avatar
      Implement workaround for AT speculative behaviour · 45aecff0
      Manish V Badarkhe authored
      During context switching from higher EL (EL2 or higher)
      to lower EL can cause incorrect translation in TLB due to
      speculative execution of AT instruction using out-of-context
      translation regime.
      
      Workaround is implemented as below during EL's (EL1 or EL2)
      "context_restore" operation:
      1. Disable page table walk using SCTLR.M and TCR.EPD0 & EPD1
         bits for EL1 or EL2 (stage1 and stage2 disabled)
      2. Save all system registers except TCR and SCTLR (for EL1 and EL2)
      3. Do memory barrier operation (isb) to ensure all
         system register writes are done.
      4. Restore TCR and SCTLR registers (for EL1 and EL2)
      
      Errata details are available for various CPUs as below:
      Cortex-A76: 1165522
      Cortex-A72: 1319367
      Cortex-A57: 1319537
      Cortex-A55: 1530923
      Cortex-A53: 1530924
      
      More details can be found in mail-chain:
      https://lists.trustedfirmware.org/pipermail/tf-a/2020-April/000445.html
      
      
      
      Currently, Workaround is implemented as build option which is default
      disabled.
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      Change-Id: If8545e61f782cb0c2dda7ffbaf50681c825bd2f0
      45aecff0
  13. 01 Apr, 2020 1 commit
    • Manish V Badarkhe's avatar
      Enable MTE support · 7ff088d1
      Manish V Badarkhe authored
      
      
      Enable MTE support by adding memory tag option in Makefile
      This option is available only when ARMv8.5-MemTag is implemented
      
      MTE options are added in latest clang and armclang compiler which
      support below options:
      for clang <version 11.0.0>
      1. -march=arm8.5-a+memtag
      2. -fsanitize=memtag
      
      for armclang <version 6.12>
      1. -march=arm8.5-a+memtag
      2. -mmemtag-stack
      
      Set the option SUPPORT_STACK_MEMTAG=yes to enable memory stack tagging.
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      Change-Id: I4e0bbde4e9769ce03ead6f550158e22f32c1c413
      7ff088d1
  14. 31 Mar, 2020 1 commit
  15. 16 Mar, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Clean Arm IO · a6de824f
      Louis Mayencourt authored
      
      
      Merge the previously introduced arm_fconf_io_storage into arm_io_storage. This
      removes the duplicate io_policies and functions definition.
      
      This patch:
      - replace arm_io_storage.c with the content of arm_fconf_io_storage.c
      - rename the USE_FCONF_BASED_IO option into ARM_IO_IN_DTB.
      - use the ARM_IO_IN_DTB option to compile out io_policies moved in dtb.
      - propagate DEFINES when parsing dts.
      - use ARM_IO_IN_DTB to include or not uuid nodes in fw_config dtb.
      - set the ARM_IO_IN_DTB to 0 by default for fvp. This ensure that the behavior
        of fvp stays the same as it was before the introduction of fconf.
      
      Change-Id: Ia774a96d1d3a2bccad29f7ce2e2b4c21b26c080e
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      a6de824f
  16. 06 Mar, 2020 2 commits
    • Sumit Garg's avatar
      Makefile: Add support to optionally encrypt BL31 and BL32 · c6ba9b45
      Sumit Garg authored
      
      
      Following build flags have been added to support optional firmware
      encryption:
      
      - FW_ENC_STATUS: Top level firmware's encryption numeric flag, values:
          0: Encryption is done with Secret Symmetric Key (SSK) which is
             common for a class of devices.
          1: Encryption is done with Binding Secret Symmetric Key (BSSK) which
             is unique per device.
      
      - ENC_KEY: A 32-byte (256-bit) symmetric key in hex string format. It
          could be SSK or BSSK depending on FW_ENC_STATUS flag.
      
      - ENC_NONCE: A 12-byte (96-bit) encryption nonce or Initialization Vector
          (IV) in hex string format.
      
      - ENCRYPT_BL31: Binary flag to enable encryption of BL31 firmware.
      
      - ENCRYPT_BL32: Binary flag to enable encryption of Secure BL32 payload.
      
      Similar flags can be added to encrypt other firmwares as well depending
      on use-cases.
      Signed-off-by: default avatarSumit Garg <sumit.garg@linaro.org>
      Change-Id: I94374d6830ad5908df557f63823e58383d8ad670
      c6ba9b45
    • Sumit Garg's avatar
      drivers: crypto: Add authenticated decryption framework · 7cda17bb
      Sumit Garg authored
      
      
      Add framework for autheticated decryption of data. Currently this
      patch optionally imports mbedtls library as a backend if build option
      "DECRYPTION_SUPPORT = aes_gcm" is set to perform authenticated decryption
      using AES-GCM algorithm.
      Signed-off-by: default avatarSumit Garg <sumit.garg@linaro.org>
      Change-Id: I2966f0e79033151012bf4ffc66f484cd949e7271
      7cda17bb
  17. 03 Mar, 2020 1 commit
  18. 02 Mar, 2020 1 commit
  19. 27 Feb, 2020 1 commit
  20. 24 Feb, 2020 2 commits
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored
      
      
      This patch introduces a build flag which allows the xlat tables
      to be mapped in a read-only region within BL31 memory. It makes it
      much harder for someone who has acquired the ability to write to
      arbitrary secure memory addresses to gain control of the
      translation tables.
      
      The memory attributes of the descriptors describing the tables
      themselves are changed to read-only secure data. This change
      happens at the end of BL31 runtime setup. Until this point, the
      tables have read-write permissions. This gives a window of
      opportunity for changes to be made to the tables with the MMU on
      (e.g. reclaiming init code). No changes can be made to the tables
      with the MMU turned on from this point onwards. This change is also
      enabled for sp_min and tspd.
      
      To make all this possible, the base table was moved to .rodata. The
      penalty we pay is that now .rodata must be aligned to the size of
      the base table (512B alignment). Still, this is better than putting
      the base table with the higher level tables in the xlat_table
      section, as that would cost us a full 4KB page.
      
      Changing the tables from read-write to read-only cannot be done with
      the MMU on, as the break-before-make sequence would invalidate the
      descriptor which resolves the level 3 page table where that very
      descriptor is located. This would make the translation required for
      writing the changes impossible, generating an MMU fault.
      
      The caches are also flushed.
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
    • Sandrine Bailleux's avatar
      Build system: Changes to drive cert_create for dualroot CoT · 53b985a0
      Sandrine Bailleux authored
      
      
      The build system needs to drive the cert_create tool in a slightly
      different manner when using the dualroot chain of trust.
      
       - It needs to pass it the platform root of trust key file.
      
       - It must not try to generate the Non-Trusted Firmware Key Certificate,
         which is not part of the dualroot CoT.
      
      Change-Id: Ibcc821c5735765523730f861ae8230208f41302b
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      53b985a0
  21. 18 Feb, 2020 1 commit
  22. 07 Feb, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Move platform io policies into fconf · 0a6e7e3b
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework to store the io_policies
      information inside the configuration device tree instead of the static
      structure in the code base.
      
      The io_policies required by BL1 can't be inside the dtb, as this one is
      loaded by BL1, and only available at BL2.
      
      This change currently only applies to FVP platform.
      
      Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      0a6e7e3b
  23. 29 Jan, 2020 1 commit
  24. 28 Jan, 2020 1 commit
  25. 24 Jan, 2020 1 commit
    • Masahiro Yamada's avatar
      Build: support per-BL LDFLAGS · d986bae4
      Masahiro Yamada authored
      
      
      make_helpers/build_macros.mk supports per-BL CFLAGS. For example,
      you can pass compiler flags only to BL31 by using BL31_CFLAGS.
      
      This commit adds per-BL LDFLAGS support, which is useful as well.
      
      My main motivation of this addition is to use it for ENABLE_PIE.
      When ENABLE_PIE is enabled, some linker flags are added to TF_LDFLAGS,
      which affects all the TF images. It will make more sense to pass the
      relevant options only to BL images that support it.
      
      Change-Id: I203acaab0091db5ae0ea6e66460ee7dc8d9c4d75
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      d986bae4
  26. 14 Jan, 2020 1 commit
    • Balint Dobszay's avatar
      Replace dts includes with C preprocessor syntax · 2d51b55e
      Balint Dobszay authored
      
      
      Using the /include/ syntax, the include was evaluated by dtc, only after running
      the preprocessor, therefore the .dtsi files were not preprocessed. This patch
      adds the #include syntax instead. Evaluating this and preprocessing the files
      now happens in a single step, done by the C preprocessor.
      
      Change-Id: I6d0104b6274316fc736e84973502a4d6c2c9d6e0
      Signed-off-by: default avatarBalint Dobszay <balint.dobszay@arm.com>
      2d51b55e
  27. 29 Dec, 2019 1 commit
    • Samuel Holland's avatar
      bl31: Split into two separate memory regions · f8578e64
      Samuel Holland authored
      
      
      Some platforms are extremely memory constrained and must split BL31
      between multiple non-contiguous areas in SRAM. Allow the NOBITS
      sections (.bss, stacks, page tables, and coherent memory) to be placed
      in a separate region of RAM from the loaded firmware image.
      
      Because the NOBITS region may be at a lower address than the rest of
      BL31, __RW_{START,END}__ and __BL31_{START,END}__ cannot include this
      region, or el3_entrypoint_common would attempt to invalidate the dcache
      for the entire address space. New symbols __NOBITS_{START,END}__ are
      added when SEPARATE_NOBITS_REGION is enabled, and the dcached for the
      NOBITS region is invalidated separately.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: Idedfec5e4dbee77e94f2fdd356e6ae6f4dc79d37
      f8578e64
  28. 20 Dec, 2019 2 commits
    • Paul Beesley's avatar
      spm: Remove SPM Alpha 1 prototype and support files · 538b0020
      Paul Beesley authored
      
      
      The Secure Partition Manager (SPM) prototype implementation is
      being removed. This is preparatory work for putting in place a
      dispatcher component that, in turn, enables partition managers
      at S-EL2 / S-EL1.
      
      This patch removes:
      
      - The core service files (std_svc/spm)
      - The Resource Descriptor headers (include/services)
      - SPRT protocol support and service definitions
      - SPCI protocol support and service definitions
      
      Change-Id: Iaade6f6422eaf9a71187b1e2a4dffd7fb8766426
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      Signed-off-by: default avatarArtsem Artsemenka <artsem.artsemenka@arm.com>
      538b0020
    • Paul Beesley's avatar
      Remove dependency between SPM_MM and ENABLE_SPM build flags · 3f3c341a
      Paul Beesley authored
      
      
      There are two different implementations of Secure Partition
      management in TF-A. One is based on the "Management Mode" (MM)
      design, the other is based on the Secure Partition Client Interface
      (SPCI) specification. Currently there is a dependency between their
      build flags that shouldn't exist, making further development
      harder than it should be. This patch removes that
      dependency, making the two flags function independently.
      
      Before: ENABLE_SPM=1 is required for using either implementation.
              By default, the SPCI-based implementation is enabled and
              this is overridden if SPM_MM=1.
      
      After: ENABLE_SPM=1 enables the SPCI-based implementation.
             SPM_MM=1 enables the MM-based implementation.
             The two build flags are mutually exclusive.
      
      Note that the name of the ENABLE_SPM flag remains a bit
      ambiguous - this will be improved in a subsequent patch. For this
      patch the intention was to leave the name as-is so that it is
      easier to track the changes that were made.
      
      Change-Id: I8e64ee545d811c7000f27e8dc8ebb977d670608a
      Signed-off-by: default avatarPaul Beesley <paul.beesley@arm.com>
      3f3c341a
  29. 17 Dec, 2019 1 commit
    • Olivier Deprez's avatar
      debugfs: add 9p device interface · 0ca3913d
      Olivier Deprez authored
      
      
      The 9p interface provides abstraction layers allowing the software
      that uses devices to be independent from the hardware.
      
      This patch provides a file system abstraction to link drivers to their
      devices and propose a common interface to expose driver operations to
      higher layers. This file system can be used to access and configure a
      device by doing read/write operations.
      Signed-off-by: default avatarAmbroise Vincent <ambroise.vincent@arm.com>
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      Change-Id: Ia9662393baf489855dc0c8f389fe4a0afbc9c255
      0ca3913d
  30. 02 Dec, 2019 1 commit
    • zelalem-aweke's avatar
      Enable Link Time Optimization in GCC · edbce9aa
      zelalem-aweke authored
      
      
      This patch enables LTO for TF-A when compiled with GCC.
      LTO is disabled by default and is enabled by
      ENABLE_LTO=1 build option.
      
      LTO is enabled only for aarch64 as there seem to be
      a bug in the aarch32 compiler when LTO is enabled.
      
      The changes in the makefiles include:
      - Adding -flto and associated flags to enable LTO.
      - Using gcc as a wrapper at link time instead of ld.
        This is recommended when using LTO as gcc internally
        takes care of invoking the necessary plugins for LTO.
      - Adding switches to pass options to ld.
      - Adding a flag to disable fix for erratum cortex-a53-843419
        unless explicitly enabled. This is needed because GCC
        seem to automatically add the erratum fix when used
        as a wrapper for LD.
      
      Additionally, this patch updates the TF-A user guide with
      the new build option.
      Signed-off-by: default avatarzelalem-aweke <zelalem.aweke@arm.com>
      Change-Id: I1188c11974da98434b7dc9344e058cd1eacf5468
      edbce9aa
  31. 04 Oct, 2019 1 commit
    • Soby Mathew's avatar
      Fix the CAS spinlock implementation · c97cba4e
      Soby Mathew authored
      
      
      Make the spinlock implementation use ARMv8.1-LSE CAS instruction based
      on a platform build option. The CAS-based implementation used to be
      unconditionally selected for all ARM8.1+ platforms.
      
      The previous CAS spinlock implementation had a bug wherein the spin_unlock()
      implementation had an `sev` after `stlr` which is not sufficient. A dsb is
      needed to ensure that the stlr completes prior to the sev. Having a dsb is
      heavyweight and a better solution would be to use load exclusive semantics
      to monitor the lock and wake up from wfe when a store happens to the lock.
      The patch implements the same.
      
      Change-Id: I5283ce4a889376e4cc01d1b9d09afa8229a2e522
      Signed-off-by: default avatarSoby Mathew <soby.mathew@arm.com>
      Signed-off-by: default avatarOlivier Deprez <olivier.deprez@arm.com>
      c97cba4e
  32. 12 Sep, 2019 2 commits
  33. 11 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Add UBSAN support and handlers · 1f461979
      Justin Chadwell authored
      
      
      This patch adds support for the Undefined Behaviour sanitizer. There are
      two types of support offered - minimalistic trapping support which
      essentially immediately crashes on undefined behaviour and full support
      with full debug messages.
      
      The full support relies on ubsan.c which has been adapted from code used
      by OPTEE.
      
      Change-Id: I417c810f4fc43dcb56db6a6a555bfd0b38440727
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      1f461979
  34. 09 Sep, 2019 1 commit
    • Justin Chadwell's avatar
      Enable MTE support in both secure and non-secure worlds · 9dd94382
      Justin Chadwell authored
      
      
      This patch adds support for the new Memory Tagging Extension arriving in
      ARMv8.5. MTE support is now enabled by default on systems that support
      at EL0. To enable it at ELx for both the non-secure and the secure
      world, the compiler flag CTX_INCLUDE_MTE_REGS includes register saving
      and restoring when necessary in order to prevent register leakage
      between the worlds.
      
      Change-Id: I2d4ea993d6b11654ea0d4757d00ca20d23acf36c
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      9dd94382
  35. 01 Aug, 2019 1 commit
    • Julius Werner's avatar
      Switch AARCH32/AARCH64 to __aarch64__ · 402b3cf8
      Julius Werner authored
      
      
      NOTE: AARCH32/AARCH64 macros are now deprecated in favor of __aarch64__.
      
      All common C compilers pre-define the same macros to signal which
      architecture the code is being compiled for: __arm__ for AArch32 (or
      earlier versions) and __aarch64__ for AArch64. There's no need for TF-A
      to define its own custom macros for this. In order to unify code with
      the export headers (which use __aarch64__ to avoid another dependency),
      let's deprecate the AARCH32 and AARCH64 macros and switch the code base
      over to the pre-defined standard macro. (Since it is somewhat
      unintuitive that __arm__ only means AArch32, let's standardize on only
      using __aarch64__.)
      
      Change-Id: Ic77de4b052297d77f38fc95f95f65a8ee70cf200
      Signed-off-by: default avatarJulius Werner <jwerner@chromium.org>
      402b3cf8