- 29 Nov, 2016 1 commit
-
-
Antonio Nino Diaz authored
When loading and authenticating an image, all parent images must also be authenticated. The parent images are just certificates that don't need to be used by any other CPU except the one loading the image, and so there is no need to flush the cache of memory regions where they are loaded. Change-Id: Ice8d6979d1c02eabf1a543281ae1a07d098e4a99 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 20 Sep, 2016 1 commit
-
-
Yatharth Kochar authored
This patch adds capability to load BL images based on image descriptors instead of hard coded way of loading BL images. This framework is designed such that it can be readily adapted by any BL stage that needs to load images. In order to provide the above capability the following new platform functions are introduced: bl_load_info_t *plat_get_bl_image_load_info(void); This function returns pointer to the list of images that the platform has populated to load. bl_params_t *plat_get_next_bl_params(void); This function returns a pointer to the shared memory that the platform has kept aside to pass trusted firmware related information that next BL image needs. void plat_flush_next_bl_params(void); This function flushes to main memory all the params that are passed to next image. int bl2_plat_handle_post_image_load(unsigned int image_id) This function can be used by the platforms to update/use image information for given `image_id`. `desc_image_load.c` contains utility functions which can be used by the platforms to generate, load and executable, image list based on the registered image descriptors. This patch also adds new version of `load_image/load_auth_image` functions in-order to achieve the above capability. Following are the changes for the new version as compared to old: - Refactor the signature and only keep image_id and image_info_t arguments. Removed image_base argument as it is already passed through image_info_t. Given that the BL image base addresses and limit/size are already provided by the platforms, the meminfo_t and entry_point_info arguments are not needed to provide/reserve the extent of free memory for the given BL image. - Added check for the image size against the defined max size. This is needed because the image size could come from an unauthenticated source (e.g. the FIP header). To make this check, new member is added to the image_info_t struct for identifying the image maximum size. New flag `LOAD_IMAGE_V2` is added in the Makefile. Default value is 0. NOTE: `TRUSTED_BOARD_BOOT` is currently not supported when `LOAD_IMAGE_V2` is enabled. Change-Id: Ia7b643f4817a170d5a2fbf479b9bc12e63112e79
-
- 31 Aug, 2016 1 commit
-
-
Soby Mathew authored
This patch resolves a build error in Trusted Firmware when `ARCH=aarch32` and LOG_LEVEL >= 50. Change-Id: I62a23ded4a25304533cdcc5ff11442aee041709b
-
- 17 Aug, 2016 1 commit
-
-
Dan Handley authored
At the end of successful image authentication in load_auth_image(), the data cache for the virtual address range corresponding to the image is invalidated (by a call to inv_dcache_range()). The intent seems to be to ensure the data caches do not contain any sensitive data used during authentication, which subsequent code can read. However, this same address range is already flushed (cleaned and invalidated by a call to flush_dcache_range()) at the end of load_image(), and the subsequent invalidate has no functional effect. This patch removes the redundant call to inv_dcache_range(). It also moves the flush_dcache_range() call from the end of load_image() to the end of load_auth_image(), so the image data will remain in the caches during authentication, improving performance. This also improves the comments that explain the rationale for calling flush_dcache_range() after image loading/authentication. Change-Id: I14f17ad2935075ef6f3d1327361c5088bfb2d284
-
- 25 Jul, 2016 1 commit
-
-
Sandrine Bailleux authored
This patch adds some runtime checks to prevent some potential pointer overflow issues in the is_mem_free() function. The overflow could happen in the case where the end addresses, computed as the sum of a base address and a size, results in a value large enough to wrap around. This, in turn, could lead to unpredictable behaviour. If such an overflow is detected, the is_mem_free() function will now declare the memory region as not free. The overflow is detected using a new macro, called check_uptr_overflow(). This patch also modifies all other places in the 'bl_common.c' file where an end address was computed as the sum of a base address and a size and instead keeps the two values separate. This avoids the need to handle pointer overflows everywhere. The code doesn't actually need to compute any end address before the is_mem_free() function is called other than to print information message to the serial output. This patch also introduces 2 slight changes to the reserve_mem() function: - It fixes the end addresses passed to choose_mem_pos(). It was incorrectly passing (base + size) instead of (base + size - 1). - When the requested allocation size is 0, the function now exits straight away and says so using a warning message. Previously, it used to actually reserve some memory. A zero-byte allocation was not considered as a special case so the function was using the same top/bottom allocation mechanism as for any other allocation. As a result, the smallest area of memory starting from the requested base address within the free region was reserved. Change-Id: I0e695f961e24e56ffe000718014e0496dc6e1ec6
-
- 18 Jul, 2016 1 commit
-
-
Soby Mathew authored
This patch reworks type usage in generic code, drivers and ARM platform files to make it more portable. The major changes done with respect to type usage are as listed below: * Use uintptr_t for storing address instead of uint64_t or unsigned long. * Review usage of unsigned long as it can no longer be assumed to be 64 bit. * Use u_register_t for register values whose width varies depending on whether AArch64 or AArch32. * Use generic C types where-ever possible. In addition to the above changes, this patch also modifies format specifiers in print invocations so that they are AArch64/AArch32 agnostic. Only files related to upcoming feature development have been reworked. Change-Id: I9f8c78347c5a52ba7027ff389791f1dad63ee5f8
-
- 07 Jun, 2016 1 commit
-
-
Sandrine Bailleux authored
- Fix the function documentation. Since commit 16948ae1, load_image() uses image IDs rather than image names. - Clarify the consequences of a null entry point argument. - Slightly reorganize the code to remove an unnecessary 'if' statement. Change-Id: Iebea3149a37f23d3b847a37a206ed23f7e8ec717
-
- 13 Apr, 2016 1 commit
-
-
Soby Mathew authored
The AArch32 long descriptor format and the AArch64 descriptor format correspond to each other which allows possible sharing of xlat_tables library code between AArch64 and AArch32. This patch refactors the xlat_tables library code to seperate the common functionality from architecture specific code. Prior to this patch, all of the xlat_tables library code were in `lib/aarch64/xlat_tables.c` file. The refactored code is now in `lib/xlat_tables/` directory. The AArch64 specific programming for xlat_tables is in `lib/xlat_tables/aarch64/xlat_tables.c` and the rest of the code common to AArch64 and AArch32 is in `lib/xlat_tables/xlat_tables_common.c`. Also the data types used in xlat_tables library APIs are reworked to make it compatible between AArch64 and AArch32. The `lib/aarch64/xlat_tables.c` file now includes the new xlat_tables library files to retain compatibility for existing platform ports. The macros related to xlat_tables library are also moved from `include/lib/aarch64/arch.h` to the header `include/lib/xlat_tables.h`. NOTE: THE `lib/aarch64/xlat_tables.c` FILE IS DEPRECATED AND PLATFORM PORTS ARE EXPECTED TO INCLUDE THE NEW XLAT_TABLES LIBRARY FILES IN THEIR MAKEFILES. Change-Id: I3d17217d24aaf3a05a4685d642a31d4d56255a0f
-
- 18 Feb, 2016 1 commit
-
-
Antonio Nino Diaz authored
This patch adds support for the `%p` format specifier in tf_printf() following the example of the printf implementation of the stdlib used in the trusted firmware. Fixes ARM-software/tf-issues#292 Change-Id: I0b3230c783f735d3e039be25a9405f00023420da
-
- 02 Nov, 2015 2 commits
-
-
Juan Castillo authored
Patch 7e26fe1f deprecates IO specific return definitions in favour of standard errno codes. This patch removes those definitions and its usage from the IO framework, IO drivers and IO platform layer. Following this patch, standard errno codes must be used when checking the return value of an IO function. Change-Id: Id6e0e9d0a7daf15a81ec598cf74de83d5768650f
-
Sandrine Bailleux authored
This patch introduces a new function called 'print_entry_point_info' that prints an entry_point_t structure for debugging purposes. As such, it can be used to display the entry point address, SPSR and arguments passed from a firmware image to the next one. This function is now called in the following images transitions: - BL1 to BL2 - BL1 to BL31 - BL31 to the next image (typically BL32 or BL33) The following changes have been introduced: - Fix the output format of the SPSR value : SPSR is a 32-bit value, not a 64-bit one. - Print all arguments values. The entry_point_info_t structure allows to pass up to 8 arguments. In most cases, only the first 2 arguments were printed. print_entry_point_info() now prints all of them as 'VERBOSE' traces. Change-Id: Ieb384bffaa7849e6cb95a01a47c0b7fc2308653a
-
- 23 Oct, 2015 1 commit
-
-
Juan Castillo authored
This patch replaces custom definitions used as return values for the load_auth_image() function with standard error codes defined in errno.h. The custom definitions have been removed. It also replaces the usage of IO framework error custom definitions, which have been deprecated. Standard errno definitions are used instead. Change-Id: I1228477346d3876151c05b470d9669c37fd231be
-
- 02 Sep, 2015 1 commit
-
-
Vikram Kanigiri authored
BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to run in secure world otherwise BL3-1/BL3-2 have to execute from non-secure memory. Hence, This patch removes the change_security_state() call in bl1_run_bl2() and replaces it with an assert to confirm the BL2 as secure. Fixes ARM-software/tf-issues#314 Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29
-
- 20 Aug, 2015 1 commit
-
-
Juan Castillo authored
BL3-2 image (Secure Payload) is optional. If the image cannot be loaded a warning message is printed and the boot process continues. According to the TBBR document, this behaviour should not apply in case of an authentication error, where the boot process should be aborted. This patch modifies the load_auth_image() function to distinguish between a load error and an authentication error. The caller uses the return value to abort the boot process or continue. In case of authentication error, the memory region used to store the image is wiped clean. Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
-
- 25 Jun, 2015 2 commits
-
-
Juan Castillo authored
This patch modifies the Trusted Board Boot implementation to use the new authentication framework, making use of the authentication module, the cryto module and the image parser module to authenticate the images in the Chain of Trust. A new function 'load_auth_image()' has been implemented. When TBB is enabled, this function will call the authentication module to authenticate parent images following the CoT up to the root of trust to finally load and authenticate the requested image. The platform is responsible for picking up the right makefiles to build the corresponding cryptographic and image parser libraries. ARM platforms use the mbedTLS based libraries. The platform may also specify what key algorithm should be used to sign the certificates. This is done by declaring the 'KEY_ALG' variable in the platform makefile. FVP and Juno use ECDSA keys. On ARM platforms, BL2 and BL1-RW regions have been increased 4KB each to accommodate the ECDSA code. REMOVED BUILD OPTIONS: * 'AUTH_MOD' Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
-
Juan Castillo authored
The Trusted firmware code identifies BL images by name. The platform port defines a name for each image e.g. the IO framework uses this mechanism in the platform function plat_get_image_source(). For a given image name, it returns the handle to the image file which involves comparing images names. In addition, if the image is packaged in a FIP, a name comparison is required to find the UUID for the image. This method is not optimal. This patch changes the interface between the generic and platform code with regard to identifying images. The platform port must now allocate a unique number (ID) for every image. The generic code will use the image ID instead of the name to access its attributes. As a result, the plat_get_image_source() function now takes an image ID as an input parameter. The organisation of data structures within the IO framework has been rationalised to use an image ID as an index into an array which contains attributes of the image such as UUID and name. This prevents the name comparisons. A new type 'io_uuid_spec_t' has been introduced in the IO framework to specify images identified by UUID (i.e. when the image is contained in a FIP file). There is no longer need to maintain a look-up table [iname_name --> uuid] in the io_fip driver code. Because image names are no longer mandatory in the platform port, the debug messages in the generic code will show the image identifier instead of the file name. The platforms that support semihosting to load images (i.e. FVP) must provide the file names as definitions private to the platform. The ARM platform ports and documentation have been updated accordingly. All ARM platforms reuse the image IDs defined in the platform common code. These IDs will be used to access other attributes of an image in subsequent patches. IMPORTANT: applying this patch breaks compatibility for platforms that use TF BL1 or BL2 images or the image loading code. The platform port must be updated to match the new interface. Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
-
- 27 Apr, 2015 1 commit
-
-
Dan Handley authored
Commit dad25049 adds support for type checking in printf-like functions. Some of the VERBOSE logging statements were not updated at that time. Fix the type mismatches in the verbose logging statements. Change-Id: Idd9a49e41cc0dc31f7698e220819d934e3d2d10e
-
- 28 Jan, 2015 1 commit
-
-
Juan Castillo authored
This patch adds support to not reserve the memory where an image is loaded if the image is: 1. A non-executable image e.g. a certificate 2. An executable image which is not meant to run on the application CPU (e.g. BL3-0) Both types of images are characterized by a NULL entrypoint argument to the load_image() function. It is used to distinguish them from other type of images. Important: Use this feature carefully. The caller is responsible for providing a valid entrypoint while loading images which will execute on the application CPU to prevent a potential overwrite of the corresponding memory region. Change-Id: Ied482280d9db714c529ec12c33a6c1d918d77a4e
-
- 12 Aug, 2014 1 commit
-
-
Dan Handley authored
Fix the following issues with the console log output: * Make sure the welcome string is the first thing in the log output (during normal boot). * Prefix each message with the BL image name so it's clear which BL the output is coming from. * Ensure all output is wrapped in one of the log output macros so it can be easily compiled out if necessary. Change some of the INFO() messages to VERBOSE(), especially in the TSP. * Create some extra NOTICE() and INFO() messages during cold boot. * Remove all usage of \r in log output. Fixes ARM-software/tf-issues#231 Change-Id: Ib24f7acb36ce64bbba549f204b9cde2dbb46c8a3
-
- 28 Jul, 2014 1 commit
-
-
Juan Castillo authored
Assert a valid security state using the macro sec_state_is_valid(). Replace assert() with panic() in those cases that might arise because of runtime errors and not programming errors. Replace panic() with assert() in those cases that might arise because of programming errors. Fixes ARM-software/tf-issues#96 Change-Id: I51e9ef0439fd5ff5e0edfef49050b69804bf14d5
-
- 25 Jul, 2014 1 commit
-
-
Soby Mathew authored
This patch implements a "tf_printf" which supports only the commonly used format specifiers in Trusted Firmware, which uses a lot less stack space than the stdlib printf function. Fixes ARM-software/tf-issues#116 Change-Id: I7dfa1944f4c1e634b3e2d571f49afe02d109a351
-
- 01 Jul, 2014 1 commit
-
-
Sandrine Bailleux authored
This concept is no longer required since we now support loading of images at fixed addresses only. The image loader now automatically detects the position of the image inside the current memory layout and updates the layout such that memory fragmentation is minimised. The 'attr' field of the meminfo data structure, which used to hold the bottom/top loading information, has been removed. Also the 'next' field has been removed as it wasn't used anywhere. The 'init_bl2_mem_layout()' function has been moved out of common code and put in BL1-specific code. It has also been renamed into 'bl1_init_bl2_mem_layout'. Fixes ARM-software/tf-issues#109 Change-Id: I3f54642ce7b763d5ee3b047ad0ab59eabbcf916d
-
- 05 Jun, 2014 1 commit
-
-
Sandrine Bailleux authored
There are cases where the entry point information is useless to the caller, e.g. when an image just needs to be loaded in memory but won't ever be executed. This patch allows load_image() function to take a NULL pointer as the entry point argument. In this case, it won't be populated. Change-Id: Ie9394b054457706c6699926c5e0206e0c3851c56
-
- 23 May, 2014 1 commit
-
-
Dan Handley authored
Some platform porting functions were in BL specific header files. These have been moved to platform.h so that all porting functions are in the same place. The functions are now grouped by BL. Obsolete BL headers files have been removed. Also, the weak declaration of the init_bl2_mem_layout() function has been moved out the header file and into the source file (bl_common.c) using the more succinct #pragma syntax. This mitigates the risk of 2 weak definitions being created and the wrong one being picked up by the compiler. Change-Id: Ib19934939fd755f3e5a5a5bceec88da684308a83
-
- 22 May, 2014 4 commits
-
-
Vikram Kanigiri authored
The issues addressed in this patch are: 1. Remove meminfo_t from the common interfaces in BL3-x, expecting that platform code will find a suitable mechanism to determine the memory extents in these images and provide it to the BL3-x images. 2. Remove meminfo_t and bl31_plat_params_t from all FVP BL3-x code as the images use link-time information to determine memory extents. meminfo_t is still used by common interface in BL1/BL2 for loading images Change-Id: I4e825ebf6f515b59d84dc2bdddf6edbf15e2d60f
-
Vikram Kanigiri authored
This patch is based on spec published at https://github.com/ARM-software/tf-issues/issues/133 It rearranges the bl31_args struct into bl31_params and bl31_plat_params which provide the information needed for Trusted firmware and platform specific data via x0 and x1 On the FVP platform BL3-1 params and BL3-1 plat params and its constituents are stored at the start of TZDRAM. The information about memory availability and size for BL3-1, BL3-2 and BL3-3 is moved into platform specific data. Change-Id: I8b32057a3d0dd3968ea26c2541a0714177820da9
-
Vikram Kanigiri authored
This patch reworks the handover interface from: BL1 to BL2 and BL2 to BL3-1. It removes the raise_el(), change_el(), drop_el() and run_image() functions as they catered for code paths that were never exercised. BL1 calls bl1_run_bl2() to jump into BL2 instead of doing the same by calling run_image(). Similarly, BL2 issues the SMC to transfer execution to BL3-1 through BL1 directly. Only x0 and x1 are used to pass arguments to BL31. These arguments and parameters for running BL3-1 are passed through a reference to a 'el_change_info_t' structure. They were being passed value in general purpose registers earlier. Change-Id: Id4fd019a19a9595de063766d4a66295a2c9307e1
-
Vikram Kanigiri authored
This patch introduces macros (SPSR_64 and SPSR_32) to create a SPSR for both aarch32 and aarch64 execution states. These macros allow the user to set fields in the SPSR depending upon its format. The make_spsr() function which did not allow manipulation of all the fields in the aarch32 SPSR has been replaced by these new macros. Change-Id: I9425dda0923e8d5f03d03ddb8fa0e28392c4c61e
-
- 09 May, 2014 1 commit
-
-
Sandrine Bailleux authored
The goal of these macros is to improve code readability by providing a concise way to check whether we are running in the expected exception level. Change-Id: If9aebadfb6299a5196e9a582b442f0971d9909b1
-
- 06 May, 2014 4 commits
-
-
Dan Handley authored
Update code base to remove variables from the .data section, mainly by using const static data where possible and adding the const specifier as required. Most changes are to the IO subsystem, including the framework APIs. The FVP power management code is also affected. Delay initialization of the global static variable, next_image_type in bl31_main.c, until it is realy needed. Doing this moves the variable from the .data to the .bss section. Also review the IO interface for inconsistencies, using uintptr_t where possible instead of void *. Remove the io_handle and io_dev_handle typedefs, which were unnecessary, replacing instances with uintptr_t. Fixes ARM-software/tf-issues#107. Change-Id: I085a62197c82410b566e4698e5590063563ed304
-
Dan Handley authored
Reduce the number of header files included from other header files as much as possible without splitting the files. Use forward declarations where possible. This allows removal of some unnecessary "#ifndef __ASSEMBLY__" statements. Also, review the .c and .S files for which header files really need including and reorder the #include statements alphabetically. Fixes ARM-software/tf-issues#31 Change-Id: Iec92fb976334c77453e010b60bcf56f3be72bd3e
-
Dan Handley authored
Add tag names to all unnamed structs in header files. This allows forward declaration of structs, which is necessary to reduce header file nesting (to be implemented in a subsequent commit). Also change the typedef names across the codebase to use the _t suffix to be more conformant with the Linux coding style. The coding style actually prefers us not to use typedefs at all but this is considered a step too far for Trusted Firmware. Also change the IO framework structs defintions to use typedef'd structs to be consistent with the rest of the codebase. Change-Id: I722b2c86fc0d92e4da3b15e5cab20373dd26786f
-
Dan Handley authored
Make codebase consistent in its use of #include "" syntax for user includes and #include <> syntax for system includes. Fixes ARM-software/tf-issues#65 Change-Id: If2f7c4885173b1fd05ac2cde5f1c8a07000c7a33
-
- 21 Mar, 2014 1 commit
-
-
Vikram Kanigiri authored
Each ARM Trusted Firmware image should know in which EL it is running and it should use the corresponding register directly instead of reading currentEL and knowing which asm register to read/write Change-Id: Ief35630190b6f07c8fbb7ba6cb20db308f002945
-
- 05 Mar, 2014 1 commit
-
-
Ryan Harkin authored
Fixes ARM-software/tf-issues#42 Some callers of load_image() may need to get the size of the image before/after loading it. Change-Id: I8dc067b69fc711433651a560ba5a8c3519445857 Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>
-
- 20 Feb, 2014 2 commits
-
-
Jeenu Viswambharan authored
At present many recoverable failures are reported as errors. This patch modifies all such failures to be reported as warnings instead. Change-Id: I5141653c82498defcada9b90fdf7498ba496b2f2
-
Achin Gupta authored
This patch reworks BL2 to BL3-1 hand over interface by introducing a composite structure (bl31_args) that holds the superset of information that needs to be passed from BL2 to BL3-1. - The extents of secure memory available to BL3-1 - The extents of memory available to BL3-2 (not yet implemented) and BL3-3 - Information to execute BL3-2 (not yet implemented) and BL3-3 images This patch also introduces a new platform API (bl2_get_bl31_args_ptr) that needs to be implemented by the platform code to export reference to bl31_args structure which has been allocated in platform-defined memory. The platform will initialize the extents of memory available to BL3-3 during early platform setup in bl31_args structure. This obviates the need for bl2_get_ns_mem_layout platform API. BL2 calls the bl2_get_bl31_args_ptr function to get a reference to bl31_args structure. It uses the 'bl33_meminfo' field of this structure to load the BL3-3 image. It sets the entry point information for the BL3-3 image in the 'bl33_image_info' field of this structure. The reference to this structure is passed to the BL3-1 image. Also fixes issue ARM-software/tf-issues#25 Change-Id: Ic36426196dd5ebf89e60ff42643bed01b3500517
-
- 17 Feb, 2014 2 commits
-
-
James Morrissey authored
The modified implementation uses the IO abstraction rather than making direct semi-hosting calls. The semi-hosting driver is now registered for the FVP platform during initialisation of each boot stage where it is used. Additionally, the FVP platform includes a straightforward implementation of 'plat_get_image_source' which provides a generic means for the 'load_image' function to determine how to access the image data. Change-Id: Ia34457b471dbee990c7b3c79de7aee4ceea51aa6
-
James Morrissey authored
Also fix warnings generated in release builds when assert code is absent. Change-Id: I45b9173d3888f9e93e98eb5b4fdc06727ba5cbf4
-
- 17 Jan, 2014 1 commit
-
-
Dan Handley authored
Change-Id: Ic7fb61aabae1d515b9e6baf3dd003807ff42da60
-