- 28 Sep, 2018 1 commit
-
-
Roberto Vargas authored
The code of LOAD_IMAGE_V2=0 has been removed. Change-Id: Iea03e5bebb90c66889bdb23f85c07d0c9717fffe Co-authored-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com> Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 21 Sep, 2018 1 commit
-
-
Daniel Boulby authored
Ensure case clauses: * Terminate with an unconditional break, return or goto statement. * Use conditional break, return or goto statements as long as the end of the case clause is unreachable; such case clauses must terminate with assert(0) /* Unreachable */ or an unconditional __dead2 function call * Only fallthough when doing otherwise would result in less readable/maintainable code; such case clauses must terminate with a /* Fallthrough */ comment to make it clear this is the case and indicate that a fallthrough is intended. This reduces the chance of bugs appearing due to unintended flow through a switch statement Change-Id: I70fc2d1f4fd679042397dec12fd1982976646168 Signed-off-by: Daniel Boulby <daniel.boulby@arm.com>
-
- 13 Apr, 2018 1 commit
-
-
Roberto Vargas authored
Rule 8.3: All declarations of an object or function shall use the same names and type qualifiers Fixed for: make DEBUG=1 PLAT=fvp SPD=tspd TRUSTED_BOARD_BOOT=1 \ GENERATE_COT=1 ARM_ROTPK_LOCATION=devel_rsa \ ROT_KEY=arm_rotprivk_rsa.pem MBEDTLS_DIR=mbedtls all Change-Id: Ia34fe1ae1f142e89c9a6c19831e3daf4d28f5831 Signed-off-by: Roberto Vargas <roberto.vargas@arm.com>
-
- 26 Mar, 2018 1 commit
-
-
Jonathan Wright authored
Ensure (where possible) that switch statements in bl1 comply with MISRA rules 16.1 - 16.7 Return statements inside switch clauses mean that we do not comply with rule 16.3. Change-Id: I8342389ba525dfc68b88e67dbb3690a529abfeb1 Signed-off-by: Jonathan Wright <jonathan.wright@arm.com>
-
- 21 Mar, 2018 1 commit
-
-
Antonio Nino Diaz authored
When the source code says 'SMCC' it is talking about the SMC Calling Convention. The correct acronym is SMCCC. This affects a few definitions and file names. Some files have been renamed (smcc.h, smcc_helpers.h and smcc_macros.S) but the old files have been kept for compatibility, they include the new ones with an ERROR_DEPRECATED guard. Change-Id: I78f94052a502436fdd97ca32c0fe86bd58173f2f Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 26 Feb, 2018 1 commit
-
-
Soby Mathew authored
This patch adds an argument to bl1_plat_post/pre_image_load() APIs to make it more future proof. The default implementation of these are moved to `plat_bl1_common.c` file. These APIs are now invoked appropriately in the FWU code path prior to or post image loading by BL1 and are not restricted to LOAD_IMAGE_V2. The patch also reorganizes some common platform files. The previous `plat_bl2_el3_common.c` and `platform_helpers_default.c` files are merged into a new `plat_bl_common.c` file. NOTE: The addition of an argument to the above mentioned platform APIs is not expected to have a great impact because these APIs were only recently added and are unlikely to be used. Change-Id: I0519caaee0f774dd33638ff63a2e597ea178c453 Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 12 Jul, 2017 1 commit
-
-
Isla Mitchell authored
This fix modifies the order of system includes to meet the ARM TF coding standard. There are some exceptions in order to retain header groupings, minimise changes to imported headers, and where there are headers within the #if and #ifndef statements. Change-Id: I65085a142ba6a83792b26efb47df1329153f1624 Signed-off-by: Isla Mitchell <isla.mitchell@arm.com>
-
- 23 Jun, 2017 1 commit
-
-
Etienne Carriere authored
This change avoids warning when setting -Wmissing-prototypes to compile bl1_context_mgmt.c. Reported-by: Yann Gautier <yann.gautier@st.com> Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
-
- 21 Jun, 2017 1 commit
-
-
Soby Mathew authored
This patch fixes the following issues in Firmware Update (FWU) code: 1. The FWU layer maintains a list of loaded image ids and while checking for image overlaps, INVALID_IMAGE_IDs were not skipped. The patch now adds code to skip INVALID_IMAGE_IDs. 2. While resetting the state corresponding to an image, the code now resets the memory used by the image only if the image were copied previously via IMAGE_COPY smc. This prevents the invalid zeroing of image memory which are not copied but are directly authenticated via IMAGE_AUTH smc. Change-Id: Idf18e69bcba7259411c88807bd0347d59d9afb8f Signed-off-by: Soby Mathew <soby.mathew@arm.com>
-
- 01 Jun, 2017 2 commits
-
-
Antonio Nino Diaz authored
This SMC is as a means for the image loading state machine to go from COPYING, COPIED or AUTHENTICATED states to RESET state. Previously, this was only done when the authentication of an image failed or when the execution of the image finished. Documentation updated. Change-Id: Ida6d4c65017f83ae5e27465ec36f54499c6534d9 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
Antonio Nino Diaz authored
Added checks to FWU_SMC_IMAGE_COPY to prevent loading data into a memory region where another image data is already loaded. Without this check, if two images are configured to be loaded in overlapping memory regions, one of them can be loaded and authenticated and the copy function is still able to load data from the second image on top of the first one. Since the first image is still in authenticated state, it can be executed, which could lead to the execution of unauthenticated arbitrary code of the second image. Firmware update documentation updated. Change-Id: Ib6871e569794c8e610a5ea59fe162ff5dcec526c Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 15 May, 2017 1 commit
-
-
dp-arm authored
This patch adds `TRUSTED_BOARD_BOOT` support for AArch32 mode. To build this patch the "mbedtls/include/mbedtls/bignum.h" needs to be modified to remove `#define MBEDTLS_HAVE_UDBL` when `MBEDTLS_HAVE_INT32` is defined. This is a workaround for "https://github.com/ARMmbed/mbedtls/issues/708 " NOTE: TBBR support on Juno AArch32 is not currently supported. Change-Id: I86d80e30b9139adc4d9663f112801ece42deafcf Signed-off-by: dp-arm <dimitris.papastamos@arm.com> Co-Authored-By: Yatharth Kochar <yatharth.kochar@arm.com>
-
- 03 May, 2017 1 commit
-
-
dp-arm authored
To make software license auditing simpler, use SPDX[0] license identifiers instead of duplicating the license text in every file. NOTE: Files that have been imported by FreeBSD have not been modified. [0]: https://spdx.org/ Change-Id: I80a00e1f641b8cc075ca5a95b10607ed9ed8761a Signed-off-by: dp-arm <dimitris.papastamos@arm.com>
-
- 20 Apr, 2017 1 commit
-
-
Antonio Nino Diaz authored
SMC_RET0 should only be used when the SMC code works as a function that returns void. If the code of the SMC uses SMC_RET1 to return a value to signify success and doesn't return anything in case of an error (or the other way around) SMC_RET1 should always be used to return clearly identifiable values. This patch fixes two cases in which the code used SMC_RET0 instead of SMC_RET1. It also introduces the define SMC_OK to use when an SMC must return a value to tell that it succeeded, the same way as SMC_UNK is used in case of failure. Change-Id: Ie4278b51559e4262aced13bbde4e844023270582 Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
-
- 06 Feb, 2017 1 commit
-
-
Douglas Raillard authored
Introduce zeromem_dczva function on AArch64 that can handle unaligned addresses and make use of DC ZVA instruction to zero a whole block at a time. This zeroing takes place directly in the cache to speed it up without doing external memory access. Remove the zeromem16 function on AArch64 and replace it with an alias to zeromem. This zeromem16 function is now deprecated. Remove the 16-bytes alignment constraint on __BSS_START__ in firmware-design.md as it is now not mandatory anymore (it used to comply with zeromem16 requirements). Change the 16-bytes alignment constraints in SP min's linker script to a 8-bytes alignment constraint as the AArch32 zeromem implementation is now more efficient on 8-bytes aligned addresses. Introduce zero_normalmem and zeromem helpers in platform agnostic header that are implemented this way: * AArch32: * zero_normalmem: zero using usual data access * zeromem: alias for zero_normalmem * AArch64: * zero_normalmem: zero normal memory using DC ZVA instruction (needs MMU enabled) * zeromem: zero using usual data access Usage guidelines: in most cases, zero_normalmem should be preferred. There are 2 scenarios where zeromem (or memset) must be used instead: * Code that must run with MMU disabled (which means all memory is considered device memory for data accesses). * Code that fills device memory with null bytes. Optionally, the following rule can be applied if performance is important: * Code zeroing small areas (few bytes) that are not secrets should use memset to take advantage of compiler optimizations. Note: Code zeroing security-related critical information should use zero_normalmem/zeromem instead of memset to avoid removal by compilers' optimizations in some cases or misbehaving versions of GCC. Fixes ARM-software/tf-issues#408 Change-Id: Iafd9663fc1070413c3e1904e54091cf60effaa82 Signed-off-by: Douglas Raillard <douglas.raillard@arm.com>
-
- 20 Dec, 2016 4 commits
-
-
Sandrine Bailleux authored
Before adding a base address and a size to compute the end address of an image to copy or authenticate, check this won't result in an integer overflow. If it does then consider the input arguments are invalid. As a result, bl1_plat_mem_check() can now safely assume the end address (computed as the sum of the base address and size of the memory region) doesn't overflow, as the validation is done upfront in bl1_fwu_image_copy/auth(). A debug assertion has been added nonetheless in the ARM implementation in order to help catching such problems, should bl1_plat_mem_check() be called in a different context in the future. Fixes TFV-1: Malformed Firmware Update SMC can result in copy of unexpectedly large data into secure memory Change-Id: I8b8f8dd4c8777705722c7bd0e8b57addcba07e25 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Dan Handley <dan.handley@arm.com>
-
Sandrine Bailleux authored
These debug assertions sanity check the state of the internal FWU state machine data when resuming an incomplete image copy operation. Change-Id: I38a125b0073658c3e2b4b1bdc623ec221741f43e Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
-
Sandrine Bailleux authored
This patch refactors the code of the function handling a FWU_AUTH_COPY SMC in BL1. All input validation has been moved upfront so it is now shared between the RESET and COPYING states. Change-Id: I6a86576b9ce3243c401c2474fe06f06687a70e2f Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Dan Handley <dan.handley@arm.com>
-
Sandrine Bailleux authored
This patch introduces no functional change, it just changes the serial console output. - Improve accuracy of error messages by decoupling some error cases; - Improve comments; - Move declaration of 'mem_layout' local variable closer to where it is used and make it const; - Rename a local variable to clarify whether it is a source or a destination address (base_addr -> dest_addr). Change-Id: I349fcf053e233f316310892211d49e35ef2c39d9 Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com> Signed-off-by: Dan Handley <dan.handley@arm.com>
-
- 14 Dec, 2016 1 commit
-
-
Yatharth Kochar authored
This patch enables TRUSTED_BOARD_BOOT (Authentication and FWU) support, for AArch64, when LOAD_IMAGE_V2 is enabled. This patch also enables LOAD_IMAGE_V2 for ARM platforms. Change-Id: I294a2eebce7a30b6784c80c9d4ac7752808ee3ad Signed-off-by: Yatharth Kochar <yatharth.kochar@arm.com>
-
- 22 Feb, 2016 1 commit
-
-
Yatharth Kochar authored
This patch fixes inconsistencies in bl1_tbbr_image_descs[] and miscellaneous fixes in Firmware Update code. Following are the changes: * As part of the original FWU changes, a `copied_size` field was added to `image_info_t`. This was a subtle binary compatibility break because it changed the size of the `bl31_params_t` struct, which could cause problems if somebody used different versions of BL2 or BL31, one with the old `image_info_t` and one with the new version. This patch put the `copied_size` within the `image_desc_t`. * EXECUTABLE flag is now stored in `ep_info.h.attr` in place of `image_info.h.attr`, associating it to an entrypoint. * The `image_info.image_base` is only relevant for secure images that are copied from non-secure memory into secure memory. This patch removes initializing `image_base` for non secure images in the bl1_tbbr_image_descs[]. * A new macro `SET_STATIC_PARAM_HEAD` is added for populating bl1_tbbr_image_descs[].ep_info/image_info.h members statically. The version, image_type and image attributes are now populated using this new macro. * Added PLAT_ARM_NVM_BASE and PLAT_ARM_NVM_SIZE to avoid direct usage of V2M_FLASH0_XXX in plat/arm/common/arm_bl1_fwu.c. * Refactoring of code/macros related to SECURE and EXECUTABLE flags. NOTE: PLATFORM PORTS THAT RELY ON THE SIZE OF `image_info_t` OR USE the "EXECUTABLE" BIT WITHIN `image_info_t.h.attr` OR USE THEIR OWN `image_desc_t` ARRAY IN BL1, MAY BE BROKEN BY THIS CHANGE. THIS IS CONSIDERED UNLIKELY. Change-Id: Id4e5989af7bf0ed263d19d3751939da1169b561d
-
- 15 Dec, 2015 2 commits
-
-
Dan Handley authored
The current FWU_SMC_UPDATE_DONE implementation incorrectly passes an unused framework cookie through to the 1st argument in the platform function `bl1_plat_fwu_done`. The intent is to allow the SMC caller to pass a cookie through to this function. This patch fixes FWU_SMC_UPDATE_DONE to pass x1 from the caller through to `bl1_plat_fwu_done`. The argument names are updated for clarity. Upstream platforms currently do not use this argument so no impact is expected. Change-Id: I107f4b51eb03e7394f66d9a534ffab1cbc09a9b2
-
Dan Handley authored
The current implementation of FWU_SMC_IMAGE_RESUME when called from the normal world, uses the provided image_id argument to determine which secure image to resume into. This implies that the normal world has a choice of which secure image to resume into when in fact it is only possible to resume into the previously interrupted secure image. This patch removes the argument, tightens up the pre-conditions for the SMC and adds additional asserts. The pre-conditions for FWU_SMC_SEC_IMAGE_DONE are also tightened up. Change-Id: Ia5a46753bb01e8f8dad8a2999314f90db8f300e8
-
- 14 Dec, 2015 1 commit
-
-
Dan Handley authored
The implementation of FWU_SMC_IMAGE_AUTH performs a number of pre-condition checks before authenticating the image. One of these checks calls `bl1_plat_mem_check()` to ensure the image source is mapped in when authenticating an image in place. The framework incorrectly passes the security state of the caller into this function instead of the security state of the source image. This patch corrects the defect. The defect would only manifest itself for secure world callers authenticating non-secure images in place, which is not done by current upstream platforms. Change-Id: I617c7b43e02ac7149f266aeaf3874316e62f3003
-
- 09 Dec, 2015 1 commit
-
-
Yatharth Kochar authored
Firmware update(a.k.a FWU) feature is part of the TBB architecture. BL1 is responsible for carrying out the FWU process if platform specific code detects that it is needed. This patch adds support for FWU feature support in BL1 which is included by enabling `TRUSTED_BOARD_BOOT` compile time flag. This patch adds bl1_fwu.c which contains all the core operations of FWU, which are; SMC handler, image copy, authentication, execution and resumption. It also adds bl1.h introducing #defines for all BL1 SMCs. Following platform porting functions are introduced: int bl1_plat_mem_check(uintptr_t mem_base, unsigned int mem_size, unsigned int flags); This function can be used to add platform specific memory checks for the provided base/size for the given security state. The weak definition will invoke `assert()` and return -ENOMEM. __dead2 void bl1_plat_fwu_done(void *cookie, void *reserved); This function can be used to initiate platform specific procedure to mark completion of the FWU process. The weak definition waits forever calling `wfi()`. plat_bl1_common.c contains weak definitions for above functions. FWU process starts when platform detects it and return the image_id other than BL2_IMAGE_ID by using `bl1_plat_get_next_image_id()` in `bl1_main()`. NOTE: User MUST provide platform specific real definition for bl1_plat_mem_check() in order to use it for Firmware update. Change-Id: Ice189a0885d9722d9e1dd03f76cac1aceb0e25ed
-