1. 29 Jun, 2020 1 commit
  2. 25 Jun, 2020 1 commit
    • Manish V Badarkhe's avatar
      plat/arm: Load and populate fw_config and tb_fw_config · 82869675
      Manish V Badarkhe authored
      
      
      Modified the code to do below changes:
      
      1. Load tb_fw_config along with fw_config by BL1.
      2. Populate fw_config device tree information in the
         BL1 to load tb_fw_config.
      3. In BL2, populate fw_config information to retrieve
         the address of tb_fw_config and then tb_fw_config
         gets populated using retrieved address.
      4. Avoid processing of configuration file in case of error
         value returned from "fw_config_load" function.
      5. Updated entrypoint information for BL2 image so
         that it's arg0 should point to fw_config address.
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      Change-Id: Ife6f7b673a074e7f544ee3d1bda7645fd5b2886c
      82869675
  3. 24 Jun, 2020 3 commits
  4. 09 Jun, 2020 2 commits
    • Madhukar Pappireddy's avatar
      plat/fvp: Add support for dynamic description of secure interrupts · 452d5e5e
      Madhukar Pappireddy authored
      
      
      Using the fconf framework, the Group 0 and Group 1 secure interrupt
      descriptors are moved to device tree and retrieved in runtime. This
      feature is enabled by the build flag SEC_INT_DESC_IN_FCONF.
      
      Change-Id: I360c63a83286c7ecc2426cd1ff1b4746d61e633c
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      452d5e5e
    • Manish Pandey's avatar
      dualroot: add chain of trust for secure partitions · 44f1aa8e
      Manish Pandey authored
      
      
      A new certificate "sip-sp-cert" has been added for Silicon Provider(SiP)
      owned Secure Partitions(SP). A similar support for Platform owned SP can
      be added in future. The certificate is also protected against anti-
      rollback using the trusted Non-Volatile counter.
      
      To avoid deviating from TBBR spec, support for SP CoT is only provided
      in dualroot.
      Secure Partition content certificate is assigned image ID 31 and SP
      images follows after it.
      
      The CoT for secure partition look like below.
      +------------------+       +-------------------+
      | ROTPK/ROTPK Hash |------>| Trusted Key       |
      +------------------+       | Certificate       |
                                 | (Auth Image)      |
                                /+-------------------+
                               /                   |
                              /                    |
                             /                     |
                            /                      |
                           L                       v
      +------------------+       +-------------------+
      | Trusted World    |------>| SiP owned SPs     |
      | Public Key       |       | Content Cert      |
      +------------------+       | (Auth Image)      |
                              /   +-------------------+
                             /                      |
                            /                      v|
      +------------------+ L     +-------------------+
      | SP_PKG1 Hash     |------>| SP_PKG1           |
      |                  |       | (Data Image)      |
      +------------------+       +-------------------+
              .                           .
              .                           .
              .                           .
      +------------------+       +-------------------+
      | SP_PKG8 Hash     |------>| SP_PKG8           |
      |                  |       | (Data Image)      |
      +------------------+       +-------------------+
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      Change-Id: Ia31546bac1327a3e0b5d37e8b99c808442d5e53f
      44f1aa8e
  5. 27 May, 2020 1 commit
    • Manish V Badarkhe's avatar
      Fix the build error for dualroot chain of trust. · b58956e9
      Manish V Badarkhe authored
      
      
      Fixed build error for dualroot chain of trust.
      Build error were thrown as below while compiling the code for
      dualroot chain of trust:
      
      aarch64-none-elf-ld.bfd: ./build/fvp/debug/bl1/tbbr_cot_bl1.o:
      (.bss.auth_img_flags+0x0): multiple definition of `auth_img_flags';
      ./build/fvp/debug/bl1/cot.o:(.bss.auth_img_flags+0x0): first defined here
      
      aarch64-none-elf-ld.bfd: ./build/fvp/debug/bl1/tbbr_cot_bl1.o:
      (.rodata.cot_desc_size+0x0): multiple definition of `cot_desc_size';
      ./build/fvp/debug/bl1/cot.o:(.rodata.cot_desc_size+0x0): first defined here
      
      aarch64-none-elf-ld.bfd: ./build/fvp/debug/bl1/tbbr_cot_bl1.o:
      (.rodata.cot_desc_ptr+0x0): multiple definition of `cot_desc_ptr';
      ./build/fvp/debug/bl1/cot.o:(.rodata.cot_desc_ptr+0x0): first defined here
      Signed-off-by: default avatarManish V Badarkhe <Manish.Badarkhe@arm.com>
      Change-Id: I1a426c4e7f5f8013d71dafc176c7467c1b329757
      b58956e9
  6. 21 May, 2020 1 commit
  7. 19 May, 2020 1 commit
  8. 15 May, 2020 1 commit
  9. 29 Apr, 2020 1 commit
    • Andre Przywara's avatar
      fdt/wrappers: Replace fdtw_read_cells() implementation · ff4e6c35
      Andre Przywara authored
      Our fdtw_read_cells() implementation goes to great lengths to
      sanity-check every parameter and result, but leaves a big hole open:
      The size of the storage the value pointer points at needs to match the
      number of cells given. This can't be easily checked at compile time,
      since we lose the size information by using a void pointer.
      Regardless the current usage of this function is somewhat wrong anyways,
      since we use it on single-element, fixed-length properties only, for
      which the DT binding specifies the size.
      Typically we use those functions dealing with a number of cells in DT
      context to deal with *dynamically* sized properties, which depend on
      other properties (#size-cells, #clock-cells, ...), to specify the number
      of cells needed.
      
      Another problem with the current implementation is the use of
      ambiguously sized types (uintptr_t, size_t) together with a certain
      expectation about their size. In general there is no relation between
      the length of a DT property and the bitness of the code that parses the
      DTB: AArch64 code could encounter 32-bit addresses (where the physical
      address space is limited to 4GB [1]), while AArch32 code could read
      64-bit sized properties (/memory nodes on LPAE systems, [2]).
      
      To make this more clear, fix the potential issues and also align more
      with other DT users (Linux and U-Boot), introduce functions to explicitly
      read uint32 and uint64 properties. As the other DT consumers, we do this
      based on the generic "read array" function.
      Convert all users to use either of those two new functions, and make
      sure we never use a pointer to anything other than uint32_t or uint64_t
      variables directly.
      
      This reveals (and fixes) a bug in plat_spmd_manifest.c, where we write
      4 bytes into a uint16_t variable (passed via a void pointer).
      
      Also we change the implementation of the function to better align with
      other libfdt users, by using the right types (fdt32_t) and common
      variable names (*prop, prop_names).
      
      [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi#n874
      [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/ecx-2000.dts
      
      
      
      Change-Id: I718de960515117ac7a3331a1b177d2ec224a3890
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      ff4e6c35
  10. 28 Apr, 2020 1 commit
    • Andre Przywara's avatar
      fdt/wrappers: Generalise fdtw_read_array() · 6e3a89f4
      Andre Przywara authored
      
      
      Currently our fdtw_read_array() implementation requires the length of
      the property to exactly match the requested size, which makes it less
      flexible for parsing generic device trees.
      Also the name is slightly misleading, since we treat the cells of the
      array as 32 bit unsigned integers, performing the endianess conversion.
      
      To fix those issues and align the code more with other DT users (Linux
      kernel or U-Boot), rename the function to "fdt_read_uint32_array", and
      relax the length check to only check if the property covers at least the
      number of cells we request.
      This also changes the variable names to be more in-line with other DT
      users, and switches to the proper data types.
      
      This makes this function more useful in later patches.
      
      Change-Id: Id86f4f588ffcb5106d4476763ecdfe35a735fa6c
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      6e3a89f4
  11. 02 Apr, 2020 1 commit
  12. 25 Mar, 2020 1 commit
  13. 23 Mar, 2020 1 commit
  14. 17 Mar, 2020 1 commit
  15. 16 Mar, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Clean Arm IO · a6de824f
      Louis Mayencourt authored
      
      
      Merge the previously introduced arm_fconf_io_storage into arm_io_storage. This
      removes the duplicate io_policies and functions definition.
      
      This patch:
      - replace arm_io_storage.c with the content of arm_fconf_io_storage.c
      - rename the USE_FCONF_BASED_IO option into ARM_IO_IN_DTB.
      - use the ARM_IO_IN_DTB option to compile out io_policies moved in dtb.
      - propagate DEFINES when parsing dts.
      - use ARM_IO_IN_DTB to include or not uuid nodes in fw_config dtb.
      - set the ARM_IO_IN_DTB to 0 by default for fvp. This ensure that the behavior
        of fvp stays the same as it was before the introduction of fconf.
      
      Change-Id: Ia774a96d1d3a2bccad29f7ce2e2b4c21b26c080e
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      a6de824f
  16. 11 Mar, 2020 2 commits
    • Madhukar Pappireddy's avatar
      fconf: necessary modifications to support fconf in BL31 & SP_MIN · 26d1e0c3
      Madhukar Pappireddy authored
      
      
      Necessary infrastructure added to integrate fconf framework in BL31 & SP_MIN.
      Created few populator() functions which parse HW_CONFIG device tree
      and registered them with fconf framework. Many of the changes are
      only applicable for fvp platform.
      
      This patch:
      1. Adds necessary symbols and sections in BL31, SP_MIN linker script
      2. Adds necessary memory map entry for translation in BL31, SP_MIN
      3. Creates an abstraction layer for hardware configuration based on
         fconf framework
      4. Adds necessary changes to build flow (makefiles)
      5. Minimal callback to read hw_config dtb for capturing properties
         related to GIC(interrupt-controller node)
      6. updates the fconf documentation
      
      Change-Id: Ib6292071f674ef093962b9e8ba0d322b7bf919af
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      26d1e0c3
    • Madhukar Pappireddy's avatar
      fconf: enhancements to firmware configuration framework · 25d740c4
      Madhukar Pappireddy authored
      
      
      A populate() function essentially captures the value of a property,
      defined by a platform, into a fconf related c structure. Such a
      callback is usually platform specific and is associated to a specific
      configuration source.
      For example, a populate() function which captures the hardware topology
      of the platform can only parse HW_CONFIG DTB. Hence each populator
      function must be registered with a specific 'config_type' identifier.
      It broadly represents a logical grouping of configuration properties
      which is usually a device tree source file.
      
      Example:
      > TB_FW: properties related to trusted firmware such as IO policies,
      	 base address of other DTBs, mbedtls heap info etc.
      > HW_CONFIG: properties related to hardware configuration of the SoC
      	 such as topology, GIC controller, PSCI hooks, CPU ID etc.
      
      This patch modifies FCONF_REGISTER_POPULATOR macro and fconf_populate()
      to register and invoke the appropriate callbacks selectively based on
      configuration type.
      
      Change-Id: I6f63b1fd7a8729c6c9137d5b63270af1857bb44a
      Signed-off-by: default avatarMadhukar Pappireddy <madhukar.pappireddy@arm.com>
      25d740c4
  17. 04 Mar, 2020 1 commit
    • Manish Pandey's avatar
      SPMD: loading Secure Partition payloads · cb3b5344
      Manish Pandey authored
      
      
      This patch implements loading of Secure Partition packages using
      existing framework of loading other bl images.
      
      The current framework uses a statically defined array to store all the
      possible image types and at run time generates a link list and traverse
      through it to load different images.
      
      To load SPs, a new array of fixed size is introduced which will be
      dynamically populated based on number of SPs available in the system
      and it will be appended to the loadable images list.
      
      Change-Id: I8309f63595f2a71b28a73b922d20ccba9c4f6ae4
      Signed-off-by: default avatarManish Pandey <manish.pandey2@arm.com>
      cb3b5344
  18. 03 Mar, 2020 1 commit
  19. 27 Feb, 2020 1 commit
    • Louis Mayencourt's avatar
      fconf: Fix misra issues · 845db722
      Louis Mayencourt authored
      
      
      MISRA C-2012 Rule 20.7:
      Macro parameter expands into an expression without being wrapped by parentheses.
      
      MISRA C-2012 Rule 12.1:
      Missing explicit parentheses on sub-expression.
      
      MISRA C-2012 Rule 18.4:
      Essential type of the left hand operand is not the same as that of the right
      operand.
      
      Include does not provide any needed symbols.
      
      Change-Id: Ie1c6451cfbc8f519146c28b2cf15c50b1f36adc8
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      845db722
  20. 25 Feb, 2020 1 commit
  21. 24 Feb, 2020 2 commits
    • Petre-Ionut Tudor's avatar
      Read-only xlat tables for BL31 memory · 60e8f3cf
      Petre-Ionut Tudor authored
      
      
      This patch introduces a build flag which allows the xlat tables
      to be mapped in a read-only region within BL31 memory. It makes it
      much harder for someone who has acquired the ability to write to
      arbitrary secure memory addresses to gain control of the
      translation tables.
      
      The memory attributes of the descriptors describing the tables
      themselves are changed to read-only secure data. This change
      happens at the end of BL31 runtime setup. Until this point, the
      tables have read-write permissions. This gives a window of
      opportunity for changes to be made to the tables with the MMU on
      (e.g. reclaiming init code). No changes can be made to the tables
      with the MMU turned on from this point onwards. This change is also
      enabled for sp_min and tspd.
      
      To make all this possible, the base table was moved to .rodata. The
      penalty we pay is that now .rodata must be aligned to the size of
      the base table (512B alignment). Still, this is better than putting
      the base table with the higher level tables in the xlat_table
      section, as that would cost us a full 4KB page.
      
      Changing the tables from read-write to read-only cannot be done with
      the MMU on, as the break-before-make sequence would invalidate the
      descriptor which resolves the level 3 page table where that very
      descriptor is located. This would make the translation required for
      writing the changes impossible, generating an MMU fault.
      
      The caches are also flushed.
      Signed-off-by: default avatarPetre-Ionut Tudor <petre-ionut.tudor@arm.com>
      Change-Id: Ibe5de307e6dc94c67d6186139ac3973516430466
      60e8f3cf
    • Sandrine Bailleux's avatar
      plat/arm: Add support for dualroot CoT · 1035a706
      Sandrine Bailleux authored
      
      
      - Use the development PROTPK if using the dualroot CoT.
      
        Note that unlike the ROTPK, the PROTPK key hash file is not generated
        from the key file, instead it has to be provided. This might be
        enhanced in the future.
      
      - Define a CoT build flag for the platform code to provide different
        implementations where needed.
      
      Change-Id: Iaaf25183b94e77a99a5d8d875831d90c102a97ea
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      1035a706
  22. 19 Feb, 2020 1 commit
  23. 10 Feb, 2020 2 commits
  24. 07 Feb, 2020 9 commits
    • Louis Mayencourt's avatar
      arm-io: Panic in case of io setup failure · 97399821
      Louis Mayencourt authored
      
      
      Currently, an IO setup failure will be ignored on arm platform release
      build. Change this to panic instead.
      
      Change-Id: I027a045bce2422b0a0fc4ff9e9d4c6e7bf5d2f98
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      97399821
    • Louis Mayencourt's avatar
      MISRA fix: Use boolean essential type · d6dcbcad
      Louis Mayencourt authored
      
      
      Change the return type of "arm_io_is_toc_valid()" and
      "plat_arm_bl1_fwu_needed()" to bool, to match function behavior.
      
      Change-Id: I503fba211219a241cb263149ef36ca14e3362a1c
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      d6dcbcad
    • Louis Mayencourt's avatar
      fconf: Move platform io policies into fconf · 0a6e7e3b
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework to store the io_policies
      information inside the configuration device tree instead of the static
      structure in the code base.
      
      The io_policies required by BL1 can't be inside the dtb, as this one is
      loaded by BL1, and only available at BL2.
      
      This change currently only applies to FVP platform.
      
      Change-Id: Ic9c1ac3931a4a136aa36f7f58f66d3764c1bfca1
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      0a6e7e3b
    • Louis Mayencourt's avatar
      fconf: Add mbedtls shared heap as property · 6c972317
      Louis Mayencourt authored
      
      
      Use the firmware configuration framework in arm dynamic configuration
      to retrieve mbedtls heap information between bl1 and bl2.
      
      For this, a new fconf getter is added to expose the device tree base
      address and size.
      
      Change-Id: Ifa5ac9366ae100e2cdd1f4c8e85fc591b170f4b6
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      6c972317
    • Louis Mayencourt's avatar
      fconf: Add TBBR disable_authentication property · ce852841
      Louis Mayencourt authored
      
      
      Use fconf to retrieve the `disable_authentication` property.
      Move this access from arm dynamic configuration to bl common.
      
      Change-Id: Ibf184a5c6245d04839222f5457cf5e651f252b86
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ce852841
    • Louis Mayencourt's avatar
      fconf: Add dynamic config DTBs info as property · 25ac8794
      Louis Mayencourt authored
      
      
      This patch introduces a better separation between the trusted-boot
      related properties, and the dynamic configuration DTBs loading
      information.
      
      The dynamic configuration DTBs properties are moved to a new node:
      `dtb-registry`. All the sub-nodes present will be provided to the
      dynamic config framework to be loaded. The node currently only contains
      the already defined configuration DTBs, but can be extended for future
      features if necessary.
      The dynamic config framework is modified to use the abstraction provided
      by the fconf framework, instead of directly accessing the DTBs.
      
      The trusted-boot properties are kept under the "arm,tb_fw" compatible
      string, but in a separate `tb_fw-config` node.
      The `tb_fw-config` property of the `dtb-registry` node simply points
      to the load address of `fw_config`, as the `tb_fw-config` is currently
      part of the same DTB.
      
      Change-Id: Iceb6c4c2cb92b692b6e28dbdc9fb060f1c46de82
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      25ac8794
    • Louis Mayencourt's avatar
      fconf: Populate properties from dtb during bl2 setup · 9814bfc1
      Louis Mayencourt authored
      
      
      Use the dtb provided by bl1 as configuration file for fconf.
      
      Change-Id: I3f466ad9b7047e1a361d94e71ac6d693e31496d9
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      9814bfc1
    • Louis Mayencourt's avatar
      fconf: Load config dtb from bl1 · 3b5ea741
      Louis Mayencourt authored
      
      
      Move the loading of the dtb from arm_dym_cfg to fconf. The new loading
      function is not associated to arm platform anymore, and can be moved
      to bl_main if wanted.
      
      Change-Id: I847d07eaba36d31d9d3ed9eba8e58666ea1ba563
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      3b5ea741
    • Louis Mayencourt's avatar
      fconf: initial commit · ab1981db
      Louis Mayencourt authored
      
      
      Introduce the Firmware CONfiguration Framework (fconf).
      
      The fconf is an abstraction layer for platform specific data, allowing
      a "property" to be queried and a value retrieved without the requesting
      entity knowing what backing store is being used to hold the data.
      
      The default backing store used is C structure. If another backing store
      has to be used, the platform integrator needs to provide a "populate()"
      function to fill the corresponding C structure.
      The "populate()" function must be registered to the fconf framework with
      the "FCONF_REGISTER_POPULATOR()". This ensures that the function would
      be called inside the "fconf_populate()" function.
      
      A two level macro is used as getter:
      - the first macro takes 3 parameters and converts it to a function
        call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c).
      - the second level defines a__b_getter(c) to the matching C structure,
        variable, array, function, etc..
      
      Ex: Get a Chain of trust property:
          1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id)
          2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id]
      
      Change-Id: Id394001353ed295bc680c3f543af0cf8da549469
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ab1981db
  25. 05 Feb, 2020 1 commit
  26. 04 Feb, 2020 1 commit