The "make fip" shows the content of the generated FIP at the end of
the build.  (This is shown by "fiptool info" command.)

Prior to commit e0f083a0 ("fiptool: Prepare ground for expanding
the set of images at runtime"), the last part of the build log of
 make CROSS_COMPILE=aarch64-linux-gnu- BL33=../u-boot/u-boot.bin fip
was like follows:

 Trusted Boot Firmware BL2: offset=0xB0, size=0x4188, cmdline="--tb-fw"
 EL3 Runtime Firmware BL31: offset=0x4238, size=0x6090, cmdline="--soc-fw"
 Non-Trusted Firmware BL33: offset=0xA2C8, size=0x58B51, cmdline="--nt-fw"

With that commit, now it is displayed like follows:

 Non-Trusted Firmware BL33: offset=0xB0, size=0x58B51, cmdline="--nt-fw"
 EL3 Runtime Firmware BL31: offset=0x58C01, size=0x6090, cmdline="--soc-fw"
 Trusted Boot Firmware BL2: offset=0x5EC91, size=0x4188, cmdline="--tb-fw"

You will notice two differences:
  - the contents are displayed in BL33, BL31, BL2 order
  - the offset values are wrong

The latter is more serious, and means "fiptool info" is broken.

Another interesting change is "fiptool update" every time reverses
the image order.  For example, if you input FIP with BL2, BL31, BL33
in this order, the command will pack BL33, BL31, BL2 into FIP, in
this order.  Of course, the order of components is not a big deal
except that users will have poor impression about this.

The root cause is in the implementation of add_image(); the
image_head points to the last added image.  For example, if you call
add_image() for BL2, BL31, BL33 in this order, the resulted image
chain is:

  image_head -> BL33 -> BL31 -> BL2

Then, they are processed from the image_head in "for" loops:

  for (image = image_head; image != NULL; image = image->next) {

This means images are handled in Last-In First-Out manner.

Interestingly, "fiptool create" is still correct because
add_image_desc() also reverses the descriptor order and the command
works as before due to the double reverse.

The implementation of add_image() is efficient, but it made the
situation too complicated.

Let's make image_head point to the first added image.  This will
add_image() inefficient because every call of add_image() follows
the ->next chain to get the tail.  We can solve it by adopting a
nicer linked list structure, but I am not doing as far as that
because we handle only limited number of images anyway.

Do likewise for add_image_desc().

Fixes: e0f083a0

 ("fiptool: Prepare ground for expanding the set of images at runtime")
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

We often want to zero out allocated memory.

My main motivation for this commit is to set image::next and
image_desc::next to NULL automatically in the next commit.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

uart: 16550: Fix getc

fiptool: Add support for operating on binary blobs using the UUID

Improve dependency file generation

tbz check for RDR status is to check for a bit being zero.
Unfortunately, we are using a mask rather than the bit position.

Further as per http://www.ti.com/lit/ds/symlink/pc16550d.pdf

 (page 17),
LSR register bit 0 is Data ready status (RDR), not bit position 2.

Update the same to match the specification.
Reported-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: Nishanth Menon <nm@ti.com>

zynqmp: Migrate to new address space macros

TBB: fix comment about MBEDTLS_KEY_ALG default

rockchip: Build m0 firmware without standard libraries

Commit 0029624f

 ("Add
PLAT_xxx_ADDR_SPACE_SIZE definition") deprecates 'ADDR_SPACE_SIZE' in
favor of PLAT_(PHY|VIRT)_ADDRESS_SPACE_SIZE. Migrate the zynqmp platform
to use the new interface.
Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>

This comment block says the default algorithm is ESDSA, while the
code obviously sets the default to RSA:

  ifeq (${MBEDTLS_KEY_ALG},)
      MBEDTLS_KEY_ALG            :=      rsa
  endif

The git log of commit 7d37aa17

 ("TBB: add mbedTLS authentication
related libraries") states available options are:

  * 'rsa' (for RSA-2048) (default option)
  * 'ecdsa' (for ECDSA-SECP256R1)

So, my best guess is the comment block is wrong.

The mismatch between the code and the comment is confusing. Fix it.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

This adds a phony target for each dependency other than the main
file, causing each to depend on nothing.

Without this, the incremental build will fail when a header file
is removed.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Currently, .d files are generated before any objects are built.
So, IS_ANYTHING_TO_BUILD flag is needed to avoid such processing for
non-build targets.

There is a cleverer way; just create a .d file simultaneously when
the corresponding object is created.  No need to have separate rules
for .d files.

This commit will also fix a bug; -D$(IMAGE) is defined for $(OBJ),
but not for $(PREREQUISITES).  So, .d files are generated with
different macro sets from those for .o files, then wrong .d files
are generated.

For example, in lib/cpus/aarch64/cpu_helpers.S

  #if IMAGE_BL31
  #include <cpu_data.h>
  #endif

<cpu_data.h> is parsed for the object when built for BL31, but the
.d file does not pick up that dependency.

With this commit, the compiler will generate .o and .d at the same
time, guaranteeing they are generated under the same circumstances.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Using AS for pre-processing looks a bit weird, and some assembly
specific options are given for nothing.  Rather, use CPP.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

The -c flag should not be included in the global variable TF_CFLAGS;
it should be specified in the build rule only when its target is a
*.o file.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>

Depending on the compiler used, it might try to link in libc even though
it's not required. Stop it from doing that.
Signed-off-by: Patrick Georgi <pgeorgi@google.com>

An image descriptor contains an action and an argument.  The action
indicates the intended operation, as requested by the user.  It can be
pack, unpack or remove.  Factor out setting those fields to a separate
function to minimize code duplication across the various commands that
modify these fields.

Change-Id: I1682958e8e83c4884e435cff6d0833c67726461f
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Change-Id: If279680a71e7fa1f801d79b8bc2cd47cd9905d33
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Change-Id: Ife8f198b4c45961e85ed6f4d463daa59009dab1c
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Previously, fiptool only understood a fixed set of images as
specified in tbbr_config.c.  It preserved unknown images during
the update, unpack and remove operations but it was not possible to
explicitly refer to one of those unknown images.

Add a new --blob option to create/update/unpack/remove images that
are not known at compile time.  This is accomplished by specifying
the UUID and filename pair as shown below:

$ ./fiptool create --blob uuid=01234567-89ab-cdef-0123-456789abcdef,file=foo.bin fip.bin
$ ./fiptool info fip.bin
01234567-89ab-cdef-0123-456789abcdef: offset=0x60, size=0x1AA68

Fixes ARM-software/tf-issues#420

Change-Id: Iaac2504b9a4252289c09e73d29645cbe240f3a82
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

To allow operating on images with unknown UUIDs, fiptool needs to
be able to track an arbitrary amount of images and not be limited
to the set of images described by the builtin table.

Convert the table to a list to accommodate this scenario.

Change-Id: I0e6d738eece7795d74fc72d165a3098f223d4414
Signed-off-by: dp-arm <dimitris.papastamos@arm.com>

Abort preempted TSP STD SMC after PSCI CPU suspend

Standard SMC requests that are handled in the secure-world by the Secure
Payload can be preempted by interrupts that must be handled in the
normal world. When the TSP is preempted the secure context is stored and
control is passed to the normal world to handle the non-secure
interrupt. Once completed the preempted secure context is restored. When
restoring the preempted context, the dispatcher assumes that the TSP
preempted context is still stored as the SECURE context by the context
management library.

However, PSCI power management operations causes synchronous entry into
TSP. This overwrites the preempted SECURE context in the context
management library. When restoring back the SECURE context, the Secure
Payload crashes because this context is not the preempted context
anymore.

This patch avoids corruption of the preempted SECURE context by aborting
any preempted SMC during PSCI power management calls. The
abort_std_smc_entry hook of the TSP is calle...

Fix TSP_STD_FID macro

Enforce valid FID input in TSP_STD_FID and TSP_FAST_FID macros.
Also remove an undefined behavior by using unsigned literals.

Change-Id: Id37e908da861980a4eaa3a70b37a729f416ce272
Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>

zynqmp: add "override" directive to mandatory options

AArch32: Print ASM_ASSERT and panic messages

The platform.mk sets build options required for ZynqMP, but users
can still change them from the command line, like:

  make PLAT=zynqmp RESET_TO_BL31=0 CROSS_COMPILE=...

Then, the makefile shows an error message in that case:
  Using BL31 as the reset vector is only one option supported on ZynqMP.
  Please set RESET_TO_BL31 to 1.

If the option is not user-configurable, the makefile can specify
"override" to prevent users from changing it.  We do not need the
error message for the case that never happens.

Likewise, ENABLE_PLAT_COMPAT := 0 and PROGRAMMABLE_RESET_ADDRESS := 1
are mandatory to avoid build error.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Soren Brinkmann <soren.brinkmann@xilinx.com>

Add provision to extend CPU operations at more levels

GIC driver changes for extended power management

 - Clarify the documentation of the 'FWU_SMC_IMAGE_COPY' SMC in the
   Firmware Update guide. Also extend the list of pre-conditions to
   include the additional input validation implemented by previous
   patches.

 - Improve documentation of bl1_plat_mem_check() in the porting
   guide. It now specifies that the generic FWU code protects
   bl1_plat_mem_check() from integer overflows resulting from
   the addition of the base address and size passed in arguments.

Change-Id: I07b47a3778df7b9c089529b2dd2135707640a91c
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Before adding a base address and a size to compute the end
address of an image to copy or authenticate, check this
won't result in an integer overflow. If it does then consider
the input arguments are invalid.

As a result, bl1_plat_mem_check() can now safely assume the
end address (computed as the sum of the base address and size
of the memory region) doesn't overflow, as the validation is
done upfront in bl1_fwu_image_copy/auth(). A debug assertion
has been added nonetheless in the ARM implementation in order
to help catching such problems, should bl1_plat_mem_check()
be called in a different context in the future.

Fixes TFV-1: Malformed Firmware Update SMC can result in copy
of unexpectedly large data into secure memory

Change-Id: I8b8f8dd4c8777705722c7bd0e8b57addcba07e25
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Dan Handley <dan.handley@arm.com>

These debug assertions sanity check the state of the internal
FWU state machine data when resuming an incomplete image copy
operation.

Change-Id: I38a125b0073658c3e2b4b1bdc623ec221741f43e
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

This patch refactors the code of the function handling a FWU_AUTH_COPY
SMC in BL1. All input validation has been moved upfront so it is now
shared between the RESET and COPYING states.

Change-Id: I6a86576b9ce3243c401c2474fe06f06687a70e2f
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Dan Handley <dan.handley@arm.com>

This patch introduces no functional change, it just changes
the serial console output.

 - Improve accuracy of error messages by decoupling some
   error cases;

 - Improve comments;

 - Move declaration of 'mem_layout' local variable closer to
   where it is used and make it const;

 - Rename a local variable to clarify whether it is a source
   or a destination address (base_addr -> dest_addr).

Change-Id: I349fcf053e233f316310892211d49e35ef2c39d9
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Signed-off-by: Dan Handley <dan.handley@arm.com>

The is_mem_free() function used to be local to bl_common.c.
This patch exports it so that it can be used outside of bl_common.c.

Change-Id: I01dcb4229f3a36f56a4724b567c5e6c416dc5e98
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>

Enable TRUSTED_BOARD_BOOT support for LOAD_IMAGE_V2=1

Add two timestamps to measure PSCI cache flush overhead