- 02 Sep, 2015 1 commit
-
-
Vikram Kanigiri authored
BL2 loads secure runtime code(BL3-1, BL3-2) and hence it has to run in secure world otherwise BL3-1/BL3-2 have to execute from non-secure memory. Hence, This patch removes the change_security_state() call in bl1_run_bl2() and replaces it with an assert to confirm the BL2 as secure. Fixes ARM-software/tf-issues#314 Change-Id: I611b83f5c4090e58a76a2e950b0d797b46df3c29
-
- 20 Aug, 2015 1 commit
-
-
Juan Castillo authored
BL3-2 image (Secure Payload) is optional. If the image cannot be loaded a warning message is printed and the boot process continues. According to the TBBR document, this behaviour should not apply in case of an authentication error, where the boot process should be aborted. This patch modifies the load_auth_image() function to distinguish between a load error and an authentication error. The caller uses the return value to abort the boot process or continue. In case of authentication error, the memory region used to store the image is wiped clean. Change-Id: I534391d526d514b2a85981c3dda00de67e0e7992
-
- 25 Jun, 2015 5 commits
-
-
Juan Castillo authored
After updating the main authentication module to use the transport and crypto modules and the CoT description, the PolarSSL authentication module is no longer required. This patch deletes it. Change-Id: I8ba1e13fc1cc7b2fa9df14ff59eb798f0460b878
-
Juan Castillo authored
This patch modifies the Trusted Board Boot implementation to use the new authentication framework, making use of the authentication module, the cryto module and the image parser module to authenticate the images in the Chain of Trust. A new function 'load_auth_image()' has been implemented. When TBB is enabled, this function will call the authentication module to authenticate parent images following the CoT up to the root of trust to finally load and authenticate the requested image. The platform is responsible for picking up the right makefiles to build the corresponding cryptographic and image parser libraries. ARM platforms use the mbedTLS based libraries. The platform may also specify what key algorithm should be used to sign the certificates. This is done by declaring the 'KEY_ALG' variable in the platform makefile. FVP and Juno use ECDSA keys. On ARM platforms, BL2 and BL1-RW regions have been increased 4KB each to accommodate the ECDSA code. REMOVED BUILD OPTIONS: * 'AUTH_MOD' Change-Id: I47d436589fc213a39edf5f5297bbd955f15ae867
-
Juan Castillo authored
The Trusted firmware code identifies BL images by name. The platform port defines a name for each image e.g. the IO framework uses this mechanism in the platform function plat_get_image_source(). For a given image name, it returns the handle to the image file which involves comparing images names. In addition, if the image is packaged in a FIP, a name comparison is required to find the UUID for the image. This method is not optimal. This patch changes the interface between the generic and platform code with regard to identifying images. The platform port must now allocate a unique number (ID) for every image. The generic code will use the image ID instead of the name to access its attributes. As a result, the plat_get_image_source() function now takes an image ID as an input parameter. The organisation of data structures within the IO framework has been rationalised to use an image ID as an index into an array which contains attributes of the image such as UUID and name. This prevents the name comparisons. A new type 'io_uuid_spec_t' has been introduced in the IO framework to specify images identified by UUID (i.e. when the image is contained in a FIP file). There is no longer need to maintain a look-up table [iname_name --> uuid] in the io_fip driver code. Because image names are no longer mandatory in the platform port, the debug messages in the generic code will show the image identifier instead of the file name. The platforms that support semihosting to load images (i.e. FVP) must provide the file names as definitions private to the platform. The ARM platform ports and documentation have been updated accordingly. All ARM platforms reuse the image IDs defined in the platform common code. These IDs will be used to access other attributes of an image in subsequent patches. IMPORTANT: applying this patch breaks compatibility for platforms that use TF BL1 or BL2 images or the image loading code. The platform port must be updated to match the new interface. Change-Id: I9c1b04cb1a0684c6ee65dee66146dd6731751ea5
-
Juan Castillo authored
Using assert() to check the length of keys and hashes included in a certificate is not a safe approach because assert() only applies to debug builds. A malformed certificate could exploit security flaws in release binaries due to buffer overflows. This patch replaces assert() with runtime checkings in the PolarSSL authentication module, so malformed certificates can not cause a memory overflow. Change-Id: I42ba912020595752c806cbd242fe3c74077d993b
-
Juan Castillo authored
The cert_create tool calculates the hash of each BL image and includes it as an ASN.1 OCTET STRING in the corresponding certificate extension. Without additional information, the firmware running on the platform has to know in advance the algorithm used to generate the hash. This patch modifies the cert_create tool so the certificate extensions that include an image hash are generated according to the following ASN.1 structure: DigestInfo ::= SEQUENCE { digestAlgorithm AlgorithmIdentifier, digest OCTET STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters ANY DEFINED BY algorithm OPTIONAL } The PolarSSL module has been updated to extract the image hash from the certificate extension according to this structure. Change-Id: I6d83430f12a8a0eea8447bec7c936e903f644c85
-
- 27 Apr, 2015 1 commit
-
-
Dan Handley authored
Commit dad25049 adds support for type checking in printf-like functions. Some of the VERBOSE logging statements were not updated at that time. Fix the type mismatches in the verbose logging statements. Change-Id: Idd9a49e41cc0dc31f7698e220819d934e3d2d10e
-
- 08 Apr, 2015 1 commit
-
-
Kévin Petit authored
In order for the symbol table in the ELF file to contain the size of functions written in assembly, it is necessary to report it to the assembler using the .size directive. To fulfil the above requirements, this patch introduces an 'endfunc' macro which contains the .endfunc and .size directives. It also adds a .func directive to the 'func' assembler macro. The .func/.endfunc have been used so the assembler can fail if endfunc is omitted. Fixes ARM-Software/tf-issues#295 Change-Id: If8cb331b03d7f38fe7e3694d4de26f1075b278fc Signed-off-by: Kévin Petit <kevin.petit@arm.com>
-
- 11 Mar, 2015 1 commit
-
-
Juan Castillo authored
Commit ea4ec3aa ("TBB: use SHA256 to generate the certificate signatures") updated the cert_create tool to generate the signatures using SHA256 instead of SHA1. Therefore, SHA1 is no longer required. This patch removes the SHA1 option from the PolarSSL configuration file. The source file sha1.c is no longer needed and has been excluded from the build. The SHA1 functions are no longer included in the binary, reducing the memory footprint of BL1 and BL2 by approximately 6 KB. Change-Id: I72ea2cff03c0964c3eaadce148ec2ad2c6dde2e3
-
- 05 Mar, 2015 1 commit
-
-
Sandrine Bailleux authored
All coding style violations have been fixed in a previous patch and since then, each individual patch has been checked in this regard. However, the latest version of the checkpatch.pl script from the Linux kernel is more advanced and it is able to flag new errors in the Trusted Firmware codebase. This patch fixes them. Change-Id: I1f332f2440984be85d36b231bb83260368987077
-
- 28 Jan, 2015 3 commits
-
-
Juan Castillo authored
This patch provides an API to access the authentication module that will be used to verify the authenticity of the images loaded into memory as part of the Trusted Board Boot process. To include the authentication module as part of the build, set the boolean build option TRUSTED_BOARD_BOOT. One single authentication module must be registered at build time by setting the build option AUTH_MOD=<mod_name>. All authentication modules will be located in 'common/auth/<mod_name>' and must present the <mod_name>.mk file that will be included by the build system to compile the module sources. To create an authentication module, an instance of auth_mod_t called 'auth_mod' must be declared in the module sources. The initialization and verification functions provided by the module will be exported through the function pointers specified when declaring this instance. If an authentication module includes third party sources that do not adhere to the C99 standard, the -pedantic option may be removed from the build options by setting the flag DISABLE_PEDANTIC in the module file <mod_name>.mk. Change-Id: I080bb04bd421029bcdf22ec2c63807afbf061dcd
-
Juan Castillo authored
This patch implements an authentication module based on the PolarSSL library (v1.3.9) to verify the Chain of Trust when Trusted Boot is enabled. PolarSSL sources must be fetched separately. The POLARSSL_DIR build option may be used to indicate the path to the PolarSSL main directory (this directory must contain the 'include' and 'library' subdirectories). To be able to build PolarSSL sources as a part of the Trusted Firmware build process, the DISABLE_PEDANTIC flag in polarssl.mk will tell the build system to remove the -pedantic option from the CFLAGS. Inclusion of PolarSSL increases the memory requirements of the BL1 and BL2 images. The following are the changes made to the FVP and Juno platforms to cater for this when TRUSTED_BOARD_BOOT is defined: Changes on FVP: - BL1 and BL2 stacks have been increased to 4 KB - BL1(rw) section has been increased to 32 KB. - BL2 memory region has been increased to 112 KB Changes on Juno: - BL1 and BL2 stacks have been increased to 4 KB - BL1(rw) section has been increased to 32 KB. - Trusted ROM region in Flash has been increased to 128 KB. - BL2 memory region has been increased to 116 KB Change-Id: Ie87d80d43408eb6239c4acd0ec5ab2120e4e9e80
-
Juan Castillo authored
This patch adds support to not reserve the memory where an image is loaded if the image is: 1. A non-executable image e.g. a certificate 2. An executable image which is not meant to run on the application CPU (e.g. BL3-0) Both types of images are characterized by a NULL entrypoint argument to the load_image() function. It is used to distinguish them from other type of images. Important: Use this feature carefully. The caller is responsible for providing a valid entrypoint while loading images which will execute on the application CPU to prevent a potential overwrite of the corresponding memory region. Change-Id: Ied482280d9db714c529ec12c33a6c1d918d77a4e
-
- 19 Aug, 2014 1 commit
-
-
Soby Mathew authored
This patch provides a workaround for the ASM_ASSERT label issue and also reworks the use of labels in assembly macros. If the caller of the ASM_ASSERT macro happened to use the label '1' to jump past the ASM_ASSERT macro, it would not have worked since the ASM_ASSERT macro internally used the same label. Hence, as a workaround, this patch makes the label a high number in the expectation that the caller will never use it. Also updated the other assembly macros using numerical labels to named lables. Change-Id: Iec892359db84f2391ad2a83a92141c4d7049776a
-
- 12 Aug, 2014 1 commit
-
-
Dan Handley authored
Fix the following issues with the console log output: * Make sure the welcome string is the first thing in the log output (during normal boot). * Prefix each message with the BL image name so it's clear which BL the output is coming from. * Ensure all output is wrapped in one of the log output macros so it can be easily compiled out if necessary. Change some of the INFO() messages to VERBOSE(), especially in the TSP. * Create some extra NOTICE() and INFO() messages during cold boot. * Remove all usage of \r in log output. Fixes ARM-software/tf-issues#231 Change-Id: Ib24f7acb36ce64bbba549f204b9cde2dbb46c8a3
-
- 28 Jul, 2014 3 commits
-
-
Juan Castillo authored
Assert a valid security state using the macro sec_state_is_valid(). Replace assert() with panic() in those cases that might arise because of runtime errors and not programming errors. Replace panic() with assert() in those cases that might arise because of programming errors. Fixes ARM-software/tf-issues#96 Change-Id: I51e9ef0439fd5ff5e0edfef49050b69804bf14d5
-
Soby Mathew authored
This patch reworks the crash reporting mechanism to further optimise the stack and code size. The reporting makes use of assembly console functions to avoid calling C Runtime to report the CPU state. The crash buffer requirement is reduced to 64 bytes with this implementation. The crash buffer is now part of per-cpu data which makes retrieving the crash buffer trivial. Also now panic() will use crash reporting if invoked from BL3-1. Fixes ARM-software/tf-issues#199 Change-Id: I79d27a4524583d723483165dc40801f45e627da5
-
Soby Mathew authored
The patch implements a macro ASM_ASSERT() which can be invoked from assembly code. When assertion happens, file name and line number of the check is written to the crash console. Fixes ARM-software/tf-issues#95 Change-Id: I6f905a068e1c0fa4f746d723f18df60daaa00a86
-
- 25 Jul, 2014 1 commit
-
-
Soby Mathew authored
This patch implements a "tf_printf" which supports only the commonly used format specifiers in Trusted Firmware, which uses a lot less stack space than the stdlib printf function. Fixes ARM-software/tf-issues#116 Change-Id: I7dfa1944f4c1e634b3e2d571f49afe02d109a351
-
- 01 Jul, 2014 1 commit
-
-
Sandrine Bailleux authored
This concept is no longer required since we now support loading of images at fixed addresses only. The image loader now automatically detects the position of the image inside the current memory layout and updates the layout such that memory fragmentation is minimised. The 'attr' field of the meminfo data structure, which used to hold the bottom/top loading information, has been removed. Also the 'next' field has been removed as it wasn't used anywhere. The 'init_bl2_mem_layout()' function has been moved out of common code and put in BL1-specific code. It has also been renamed into 'bl1_init_bl2_mem_layout'. Fixes ARM-software/tf-issues#109 Change-Id: I3f54642ce7b763d5ee3b047ad0ab59eabbcf916d
-
- 05 Jun, 2014 1 commit
-
-
Sandrine Bailleux authored
There are cases where the entry point information is useless to the caller, e.g. when an image just needs to be loaded in memory but won't ever be executed. This patch allows load_image() function to take a NULL pointer as the entry point argument. In this case, it won't be populated. Change-Id: Ie9394b054457706c6699926c5e0206e0c3851c56
-
- 23 May, 2014 1 commit
-
-
Dan Handley authored
Some platform porting functions were in BL specific header files. These have been moved to platform.h so that all porting functions are in the same place. The functions are now grouped by BL. Obsolete BL headers files have been removed. Also, the weak declaration of the init_bl2_mem_layout() function has been moved out the header file and into the source file (bl_common.c) using the more succinct #pragma syntax. This mitigates the risk of 2 weak definitions being created and the wrong one being picked up by the compiler. Change-Id: Ib19934939fd755f3e5a5a5bceec88da684308a83
-
- 22 May, 2014 4 commits
-
-
Vikram Kanigiri authored
The issues addressed in this patch are: 1. Remove meminfo_t from the common interfaces in BL3-x, expecting that platform code will find a suitable mechanism to determine the memory extents in these images and provide it to the BL3-x images. 2. Remove meminfo_t and bl31_plat_params_t from all FVP BL3-x code as the images use link-time information to determine memory extents. meminfo_t is still used by common interface in BL1/BL2 for loading images Change-Id: I4e825ebf6f515b59d84dc2bdddf6edbf15e2d60f
-
Vikram Kanigiri authored
This patch is based on spec published at https://github.com/ARM-software/tf-issues/issues/133 It rearranges the bl31_args struct into bl31_params and bl31_plat_params which provide the information needed for Trusted firmware and platform specific data via x0 and x1 On the FVP platform BL3-1 params and BL3-1 plat params and its constituents are stored at the start of TZDRAM. The information about memory availability and size for BL3-1, BL3-2 and BL3-3 is moved into platform specific data. Change-Id: I8b32057a3d0dd3968ea26c2541a0714177820da9
-
Vikram Kanigiri authored
This patch reworks the handover interface from: BL1 to BL2 and BL2 to BL3-1. It removes the raise_el(), change_el(), drop_el() and run_image() functions as they catered for code paths that were never exercised. BL1 calls bl1_run_bl2() to jump into BL2 instead of doing the same by calling run_image(). Similarly, BL2 issues the SMC to transfer execution to BL3-1 through BL1 directly. Only x0 and x1 are used to pass arguments to BL31. These arguments and parameters for running BL3-1 are passed through a reference to a 'el_change_info_t' structure. They were being passed value in general purpose registers earlier. Change-Id: Id4fd019a19a9595de063766d4a66295a2c9307e1
-
Vikram Kanigiri authored
This patch introduces macros (SPSR_64 and SPSR_32) to create a SPSR for both aarch32 and aarch64 execution states. These macros allow the user to set fields in the SPSR depending upon its format. The make_spsr() function which did not allow manipulation of all the fields in the aarch32 SPSR has been replaced by these new macros. Change-Id: I9425dda0923e8d5f03d03ddb8fa0e28392c4c61e
-
- 16 May, 2014 1 commit
-
-
Soby Mathew authored
This patch implements the register reporting when unhandled exceptions are taken in BL3-1. Unhandled exceptions will result in a dump of registers to the console, before halting execution by that CPU. The Crash Stack, previously called the Exception Stack, is used for this activity. This stack is used to preserve the CPU context and runtime stack contents for debugging and analysis. This also introduces the per_cpu_ptr_cache, referenced by tpidr_el3, to provide easy access to some of BL3-1 per-cpu data structures. Initially, this is used to provide a pointer to the Crash stack. panic() now prints the the error file and line number in Debug mode and prints the PC value in release mode. The Exception Stack is renamed to Crash Stack with this patch. The original intention of exception stack is no longer valid since we intend to support several valid exceptions like IRQ and FIQ in the trusted firmware context. This stack is now utilized for dumping and reporting the system state when a crash happens and hence the rename. Fixes ARM-software/tf-issues#79 Improve reporting of unhandled exception Change-Id: I260791dc05536b78547412d147193cdccae7811a
-
- 09 May, 2014 1 commit
-
-
Sandrine Bailleux authored
The goal of these macros is to improve code readability by providing a concise way to check whether we are running in the expected exception level. Change-Id: If9aebadfb6299a5196e9a582b442f0971d9909b1
-
- 06 May, 2014 5 commits
-
-
Dan Handley authored
Update code base to remove variables from the .data section, mainly by using const static data where possible and adding the const specifier as required. Most changes are to the IO subsystem, including the framework APIs. The FVP power management code is also affected. Delay initialization of the global static variable, next_image_type in bl31_main.c, until it is realy needed. Doing this moves the variable from the .data to the .bss section. Also review the IO interface for inconsistencies, using uintptr_t where possible instead of void *. Remove the io_handle and io_dev_handle typedefs, which were unnecessary, replacing instances with uintptr_t. Fixes ARM-software/tf-issues#107. Change-Id: I085a62197c82410b566e4698e5590063563ed304
-
Dan Handley authored
Reduce the number of header files included from other header files as much as possible without splitting the files. Use forward declarations where possible. This allows removal of some unnecessary "#ifndef __ASSEMBLY__" statements. Also, review the .c and .S files for which header files really need including and reorder the #include statements alphabetically. Fixes ARM-software/tf-issues#31 Change-Id: Iec92fb976334c77453e010b60bcf56f3be72bd3e
-
Dan Handley authored
Add tag names to all unnamed structs in header files. This allows forward declaration of structs, which is necessary to reduce header file nesting (to be implemented in a subsequent commit). Also change the typedef names across the codebase to use the _t suffix to be more conformant with the Linux coding style. The coding style actually prefers us not to use typedefs at all but this is considered a step too far for Trusted Firmware. Also change the IO framework structs defintions to use typedef'd structs to be consistent with the rest of the codebase. Change-Id: I722b2c86fc0d92e4da3b15e5cab20373dd26786f
-
Dan Handley authored
Make codebase consistent in its use of #include "" syntax for user includes and #include <> syntax for system includes. Fixes ARM-software/tf-issues#65 Change-Id: If2f7c4885173b1fd05ac2cde5f1c8a07000c7a33
-
Dan Handley authored
Move almost all system include files to a logical sub-directory under ./include. The only remaining system include directories not under ./include are specific to the platform. Move the corresponding source files to match the include directory structure. Also remove pm.h as it is no longer used. Change-Id: Ie5ea6368ec5fad459f3e8a802ad129135527f0b3
-
- 26 Mar, 2014 1 commit
-
-
Sandrine Bailleux authored
bl1/aarch64/early_exceptions.S used to be re-used by BL2, BL3-1 and BL3-2. There was some early SMC handling code in there that was not required by the other bootloader stages. Therefore this patch introduces an even simpler exception vector source file for BL2, BL3-1 and BL3-2. Fixes ARM-software/tf-issues#38 Change-Id: I0244b80e9930b0f8035156a0bf91cc3e9a8f995d
-
- 21 Mar, 2014 1 commit
-
-
Vikram Kanigiri authored
Each ARM Trusted Firmware image should know in which EL it is running and it should use the corresponding register directly instead of reading currentEL and knowing which asm register to read/write Change-Id: Ief35630190b6f07c8fbb7ba6cb20db308f002945
-
- 05 Mar, 2014 1 commit
-
-
Ryan Harkin authored
Fixes ARM-software/tf-issues#42 Some callers of load_image() may need to get the size of the image before/after loading it. Change-Id: I8dc067b69fc711433651a560ba5a8c3519445857 Signed-off-by: Ryan Harkin <ryan.harkin@linaro.org>
-
- 26 Feb, 2014 1 commit
-
-
Jeenu Viswambharan authored
At present, the firmware panics if a runtime service fails to initialize. An earlier patch had implemented late binding for all runtime service handlers. With that in place, this patch allows the firmware to proceed even when a service fails to initialize. Change-Id: I6cf4de2cecea9719f4cd48272a77cf459b080d4e
-
- 20 Feb, 2014 2 commits
-
-
Jeenu Viswambharan authored
At present many recoverable failures are reported as errors. This patch modifies all such failures to be reported as warnings instead. Change-Id: I5141653c82498defcada9b90fdf7498ba496b2f2
-
Achin Gupta authored
This patch creates a 'services' directory and moves the PSCI under it. Other runtime services e.g. the Secure Payload Dispatcher service will be placed under the same directory in the future. Also fixes issue ARM-software/tf-issues#12 Change-Id: I187f83dcb660b728f82155d91882e961d2255068
-