1. 24 Feb, 2020 1 commit
    • Sandrine Bailleux's avatar
      Introduce a new "dualroot" chain of trust · 5ab8b717
      Sandrine Bailleux authored
      
      
      This new chain of trust defines 2 independent signing domains:
      
      1) One for the silicon firmware (BL1, BL2, BL31) and optionally the
         Trusted OS. It is rooted in the Silicon ROTPK, just as in the TBBR
         CoT.
      
      2) One for the Normal World Bootloader (BL33). It is rooted in a new key
         called Platform ROTPK, or PROTPK for short.
      
      In terms of certificates chain,
      
      - Signing domain 1) is similar to what TBBR advocates (see page 21 of
        the TBBR specification), except that the Non-Trusted World Public Key
        has been removed from the Trusted Key Certificate.
      
      - Signing domain 2) only contains the Non-Trusted World Content
        certificate, which provides the hash of the Non-Trusted World
        Bootloader. Compared to the TBBR CoT, there's no Non-Trusted World
        Key certificate for simplicity.
      
      Change-Id: I62f1e952522d84470acc360cf5ee63e4c4b0b4d9
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      5ab8b717
  2. 20 Feb, 2020 1 commit
  3. 18 Feb, 2020 3 commits
    • Zelalem's avatar
      coverity: fix MISRA violations · 2fe75a2d
      Zelalem authored
      
      
      Fixes for the following MISRA violations:
      - Missing explicit parentheses on sub-expression
      - An identifier or macro name beginning with an
        underscore, shall not be declared
      - Type mismatch in BL1 SMC handlers and tspd_main.c
      
      Change-Id: I7a92abf260da95acb0846b27c2997b59b059efc4
      Signed-off-by: default avatarZelalem <zelalem.aweke@arm.com>
      2fe75a2d
    • Sandrine Bailleux's avatar
      TBBR: Reduce size of hash buffers when possible · 0b4e5921
      Sandrine Bailleux authored
      The TBBR implementation extracts hashes from certificates and stores
      them in static buffers. TF-A supports 3 variants of SHA right now:
      SHA-256, SHA-384 and SHA-512. When support for SHA-512 was added in
      commit 9a3088a5
      
       ("tbbr: Add build flag
      HASH_ALG to let the user to select the SHA"), the hash buffers got
      unconditionally increased from 51 to 83 bytes each. We can reduce that
      space if we're using SHA-256 or SHA-384.
      
      This saves some BSS space in both BL1 and BL2:
      - BL1 with SHA-256: saving 168 bytes.
      - BL1 with SHA-384: saving 80 bytes.
      - BL2 with SHA-256: saving 384 bytes.
      - BL2 with SHA-384: saving 192 bytes.
      
      Change-Id: I0d02e5dc5f0162e82339c768609c9766cfe7e2bd
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      0b4e5921
    • Sandrine Bailleux's avatar
      TBBR: Reduce size of ECDSA key buffers · 495599cd
      Sandrine Bailleux authored
      
      
      The TBBR implementation extracts public keys from certificates and
      stores them in static buffers. DER-encoded ECDSA keys are only 91 bytes
      each but were each allocated 294 bytes instead. Reducing the size of
      these buffers saves 609 bytes of BSS in BL2 (294 - 91 = 203 bytes for
      each of the 3 key buffers in use).
      
      Also add a comment claryfing that key buffers are tailored on RSA key
      sizes when both ECDSA and RSA keys are used.
      
      Change-Id: Iad332856e7af1f9814418d012fba3e1e9399f72a
      Signed-off-by: default avatarSandrine Bailleux <sandrine.bailleux@arm.com>
      495599cd
  4. 15 Feb, 2020 4 commits
  5. 07 Feb, 2020 3 commits
    • Aditya Angadi's avatar
      drivers/arm/scmi: allow use of multiple SCMI channels · 31e703f9
      Aditya Angadi authored
      
      
      On systems that have multiple platform components that can interpret the
      SCMI messages, there is a need to support multiple SCMI channels (one
      each to those platform components). Extend the existing SCMI interface
      that currently supports only a single SCMI channel to support multiple
      SCMI channels.
      
      Change-Id: Ice4062475b903aef3b5e5bc37df364c9778a62c5
      Signed-off-by: default avatarAditya Angadi <aditya.angadi@arm.com>
      31e703f9
    • Aditya Angadi's avatar
      drivers/mhu: derive doorbell base address · f8931606
      Aditya Angadi authored
      
      
      In order to allow the MHUv2 driver to be usable with multiple MHUv2
      controllers, use the base address of the controller from the platform
      information instead of the MHUV2_BASE_ADDR macro.
      
      Change-Id: I4dbab87b929fb0568935e6c8b339ce67937f8cd1
      Signed-off-by: default avatarAditya Angadi <aditya.angadi@arm.com>
      f8931606
    • Louis Mayencourt's avatar
      fconf: initial commit · ab1981db
      Louis Mayencourt authored
      
      
      Introduce the Firmware CONfiguration Framework (fconf).
      
      The fconf is an abstraction layer for platform specific data, allowing
      a "property" to be queried and a value retrieved without the requesting
      entity knowing what backing store is being used to hold the data.
      
      The default backing store used is C structure. If another backing store
      has to be used, the platform integrator needs to provide a "populate()"
      function to fill the corresponding C structure.
      The "populate()" function must be registered to the fconf framework with
      the "FCONF_REGISTER_POPULATOR()". This ensures that the function would
      be called inside the "fconf_populate()" function.
      
      A two level macro is used as getter:
      - the first macro takes 3 parameters and converts it to a function
        call: FCONF_GET_PROPERTY(a,b,c) -> a__b_getter(c).
      - the second level defines a__b_getter(c) to the matching C structure,
        variable, array, function, etc..
      
      Ex: Get a Chain of trust property:
          1) FCONF_GET_PROPERY(tbbr, cot, BL2_id) -> tbbr__cot_getter(BL2_id)
          2) tbbr__cot_getter(BL2_id) -> cot_desc_ptr[BL2_id]
      
      Change-Id: Id394001353ed295bc680c3f543af0cf8da549469
      Signed-off-by: default avatarLouis Mayencourt <louis.mayencourt@arm.com>
      ab1981db
  6. 05 Feb, 2020 1 commit
  7. 04 Feb, 2020 1 commit
  8. 30 Jan, 2020 1 commit
    • Grzegorz Jaszczyk's avatar
      plat: marvell: armada: add support for loading MG CM3 images · 81646055
      Grzegorz Jaszczyk authored
      
      
      In order to access MG SRAM, the amb bridge needs to be configured which is
      done in bl2 platform init.
      
      For MG CM3, the image is only loaded to its SRAM and the CM3 itself is
      left in reset. It is because the next stage bootloader (e.g. u-boot)
      will trigger action which will take it out of reset when needed. This
      can happen e.g. when appropriate device-tree setup (which has enabled
      802.3 auto-neg) will be chosen. In other cases the MG CM3 should not be
      running.
      
      Change-Id: I816ea14e3a7174eace068ec44e3cc09998d0337e
      Signed-off-by: default avatarGrzegorz Jaszczyk <jaz@semihalf.com>
      81646055
  9. 28 Jan, 2020 2 commits
  10. 20 Jan, 2020 6 commits
  11. 10 Jan, 2020 2 commits
    • Yann Gautier's avatar
      io: change seek offset to signed long long · 70cb0bff
      Yann Gautier authored
      
      
      IO seek offset can be set to values above UINT32_MAX, this change
      changes the seek offset argument from 'ssize_t' to 'signed long long'.
      Fixing platform seek functions to match the new interface update.
      
      Change-Id: I25de83b3b7abe5f52a7b0fee36f71e60cac9cfcb
      Signed-off-by: default avatarYann Gautier <yann.gautier@st.com>
      Signed-off-by: default avatarEtienne Carriere <etienne.carriere@st.com>
      Signed-off-by: default avatarLionel Debieve <lionel.debieve@st.com>
      70cb0bff
    • Deepika Bhavnani's avatar
      Unify type of "cpu_idx" across PSCI module. · 5b33ad17
      Deepika Bhavnani authored
      
      
      NOTE for platform integrators:
         API `plat_psci_stat_get_residency()` third argument
         `last_cpu_idx` is changed from "signed int" to the
         "unsigned int" type.
      
      Issue / Trouble points
      1. cpu_idx is used as mix of `unsigned int` and `signed int` in code
      with typecasting at some places leading to coverity issues.
      
      2. Underlying platform API's return cpu_idx as `unsigned int`
      and comparison is performed with platform specific defines
      `PLAFORM_xxx` which is not consistent
      
      Misra Rule 10.4:
      The value of a complex expression of integer type may only be cast to
      a type that is narrower and of the same signedness as the underlying
      type of the expression.
      
      Based on above points, cpu_idx is kept as `unsigned int` to match
      the API's and low-level functions and platform defines are updated
      where ever required
      Signed-off-by: default avatarDeepika Bhavnani <deepika.bhavnani@arm.com>
      Change-Id: Ib26fd16e420c35527204b126b9b91e8babcc3a5c
      5b33ad17
  12. 09 Jan, 2020 1 commit
  13. 06 Jan, 2020 1 commit
  14. 03 Jan, 2020 1 commit
    • Vishnu Banavath's avatar
      drivers: add a driver for snoop control unit · c20c0525
      Vishnu Banavath authored
      
      
      The SCU connects one to four Cortex-A5/Cortex-A9 processors
      to the memory system through the AXI interfaces.
      
      The SCU functions are to:
      - maintain data cache coherency between the Cortex-A5/Cortex-A9
        processors
      - initiate L2 AXI memory accesses
      - arbitrate between Cortex-A5/Cortex-A9 processors requesting
        L2 accesses
      - manage ACP accesses.
      
      Snoop Control Unit will enable to snoop on other CPUs caches.
      This is very important when it comes to synchronizing data between
      CPUs. As an example, there is a high chance that data might be
      cache'd and other CPUs can't see the change. In such cases,
      if snoop control unit is enabled, data is synchoronized immediately
      between CPUs and the changes are visible to other CPUs.
      
      This driver provides functionality to enable SCU as well as enabling
      user to know the following
      - number of CPUs present
      - is a particular CPU operating in SMP mode or AMP mode
      - data cache size of a particular CPU
      - does SCU has ACP port
      - is L2CPRESENT
      
      Change-Id: I0d977970154fa60df57caf449200d471f02312a0
      Signed-off-by: default avatarVishnu Banavath <vishnu.banavath@arm.com>
      c20c0525
  15. 30 Dec, 2019 1 commit
    • Andre Przywara's avatar
      console: 16550: Prepare for skipping initialisation · cd50ffd2
      Andre Przywara authored
      
      
      On some platforms the UART might have already been initialised, for
      instance by firmware running before TF-A or by a separate management
      processor. In this case it would not be need to initialise it again
      (doing so could create spurious characters). But more importantly this
      saves us from knowing the right baudrate and the right base clock rate
      for the UART. This can lead to more robust and versatile firmware builds.
      
      Allow to skip the 16550 UART initialisation and baud rate divisor
      programming, by interpreting an input clock rate of "0" to signify this
      case. This will just skip the call to console_16550_core_init, but still
      will register the console properly.
      
      Users should just pass 0 as the second parameter, the baudrate (third
      parameter) will then be ignored as well.
      
      Fix copy & paste typos in comments for the console_16550_register()
      function on the way.
      Signed-off-by: default avatarAndre Przywara <andre.przywara@arm.com>
      Change-Id: I9f8fca5b358f878fac0f31dc411358fd160786ee
      cd50ffd2
  16. 14 Dec, 2019 2 commits
    • Samuel Holland's avatar
      allwinner: Convert AXP803 regulator setup code into a driver · 0bc752c9
      Samuel Holland authored
      
      
      Previously, the A64/H5 and H6 platforms' PMIC setup code was entirely
      independent. However, some H6 boards also need early regulator setup.
      
      Most of the register interface and all of the device tree traversal code
      can be reused between the AXP803 and AXP805. The main difference is the
      hardware bus interface, so that part is left to the platforms. The
      remainder is moved into a driver.
      
      I factored out the bits that were obviously specific to the AXP803;
      additional changes for compatibility with other PMICs can be made as
      needed.
      
      The only functional change is that rsb_init() now checks the PMIC's chip
      ID register against the expected value. This was already being done in
      the H6 version of the code.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: Icdcf9edd6565f78cccc503922405129ac27e08a2
      0bc752c9
    • Samuel Holland's avatar
      drivers: allwinner: axp: Add AXP805 support · f6d9c4ca
      Samuel Holland authored
      
      
      This adds the new regulator list, as well as changes to make the switch
      (equivalent to DC1SW on the AXP803) work on both PMICs.
      Signed-off-by: default avatarSamuel Holland <samuel@sholland.org>
      Change-Id: I9a1eac8ddfc54b27096c10a8eebdd51aaf9b8311
      f6d9c4ca
  17. 11 Dec, 2019 3 commits
  18. 06 Dec, 2019 1 commit
    • Bence Szépkúti's avatar
      libc: Consolidate unified definitions · b382ac68
      Bence Szépkúti authored
      
      
      As supporting architectures aside from AArch32 and AArch64 is not a
      concern, keeping identical definitions in two places for a large part
      of the libc seems counterproductive
      
      The int128 types were left un-unified as __int128 is not supported by
      gcc on AArch32
      Signed-off-by: default avatarBence Szépkúti <bence.szepkuti@arm.com>
      Change-Id: Idf08e6fab7e4680d9da62d3c57266ea2d80472cf
      b382ac68
  19. 19 Nov, 2019 3 commits
    • Justin Chadwell's avatar
      Enable -Wlogical-op always · d7b4cd41
      Justin Chadwell authored
      
      
      -Wlogical-op prevents common errors with using numerical constants where
      a boolean one is expected as well as when the operands of a logical
      operator are the same. While these are perfectly valid behavior, they
      can be a sign that something is slightly off.
      
      This patch adds this warning to gcc and it's closest equivalent to
      clang, while also fixing any warnings that enabling them causes.
      
      Change-Id: Iabadfc1e6ee0c44eef6685a23b0aed8abef8ce89
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      d7b4cd41
    • Justin Chadwell's avatar
      Enable -Wshadow always · b7f6525d
      Justin Chadwell authored
      
      
      Variable shadowing is, according to the C standard, permitted and valid
      behaviour. However, allowing a local variable to take the same name as a
      global one can cause confusion and can make refactoring and bug hunting
      more difficult.
      
      This patch moves -Wshadow from WARNING2 into the general warning group
      so it is always used. It also fixes all warnings that this introduces
      by simply renaming the local variable to a new name
      
      Change-Id: I6b71bdce6580c6e58b5e0b41e4704ab0aa38576e
      Signed-off-by: default avatarJustin Chadwell <justin.chadwell@arm.com>
      b7f6525d
    • Max Shvetsov's avatar
      GIC-600: Fix include ordering according to the coding style · ac426351
      Max Shvetsov authored
      
      
      Change-Id: Ia120bcaacea3a462ab78db13f84ed23493033601
      Signed-off-by: default avatarMax Shvetsov <maksims.svecovs@arm.com>
      ac426351
  20. 15 Nov, 2019 1 commit
    • Alexei Fedorov's avatar
      GIC-600: Fix power up sequence · 7a7fbb12
      Alexei Fedorov authored
      
      
      Arm's GIC-600 features a Power Register (GICR_PWRR),
      which needs to be programmed to enable redistributor
      operation. Section 3.6.1 in the GIC-600 TRM describes
      the power-up and power-down sequence in pseudo code,
      which deviates from the current TF-A implementation
      in drivers/arm/gic/v3/gic600.c.
      For powering on a redistributor, the pseudo code suggests
      to loop over the whole sequence (check for transition,
      write request bit) instead of just looping over the
      ready bit read as TF-A does in gic600_pwr_on().
      This patch fixes GIC-600 power up sequence according
      to the TRM.
      
      Change-Id: I445c480e96ba356b69a2d8e5308ffe6c0a97f45b
      Signed-off-by: default avatarAlexei Fedorov <Alexei.Fedorov@arm.com>
      7a7fbb12
  21. 14 Nov, 2019 1 commit